Non-customers of Medibank who were drawn to discounted programs advertised by their employer as a workplace benefit are now having to secure their emails, password and other details after they were stolen by a hacker.

Emails seen by The Australian show those who enquired about policies with Medibank have had their first name and surname, gender, date of birth, email, address, phone number and visa subclass, start date and expiry date should they have been an overseas worker, exposed.

“Hi, we’re writing to you as you had previously obtained a quote from Medibank. We’re deeply sorry to inform you that we believe some data you provided for the quote has been stolen and released on the dark web, as a result of the recent cybercrime,” read Medibank’s email to customers.

Of the 9.7m people caught in the Medibank breach, 4 million were active customers at the time of the breach. Others included legacy customers, AHM customers and non-customers who had requested quotes.

“We sincerely apologise to all customers who have been impacted by the cybercrime. We have a Cyber Response Support Package available for all customers, including people who received a quote, which includes mental health, identity protection and financial hardship measures,” a Medibank spokeswoman told The Australian.

The intrusive race for companies to collect as much data as possible is increasingly putting people at risk of cyber breaches, and in many cases is happening beyond their knowledge, said Macquarie University security studies and criminology associate professor Jeffrey Foster.

“When we look across these kinds of data, you can see why companies want this, even if you’re not a customer. They want that personal information and your contact to help them make you a customer later on,” he said.

“It makes it difficult for a company to intentionally remove this data when it adds financial value to them and is not regulated”.

Most people who had inquired about private health insurance with Medibank would have been largely unaware the company had stored their data and that their personal information could have been breached, he said.

“Of course, there will have been a tick box they ticked somewhere that said, ‘I have read and agree to the terms of this agreement’. The biggest lie ever told is that particular line … nobody reads it.”

The news of non-customers being caught up in the Medibank breach should alert the broader public to the dangers of what almost companies are doing with consumer data, Mr Foster said.

In 2012, the New York Times reported that an angry father accused Target of “trying to encourage” his teenage daughter to get pregnant after she had received marketing coupons for maternity clothes and nursery furniture.

When a manager called to apologise a few days later, the man reportedly said: “It turns out there’s been some activities in my house I haven’t been completely aware of. She’s due in August. I owe you an apology.”

Companies are increasingly using data, statistics and prediction models to determine consumer health and daily habits, often tying their credit card numbers, loyalty membership IDs and IP addresses to data profiles.

“Now maybe there were 999 other teens that weren’t actually pregnant and got the same marketing, but that’s the kind of picture that companies can paint,” Mr Foster said.

“The problem is the scale and the scope of what has occurred now. Not only do companies collect this information and put it online, but they try to connect it to as much data about you as possible, even if those data have nothing to do with the company you gave information to,” he said.

“It starts to paint a whole picture about who you are as a person.”

The rise of data brokers, who collect, analyse and sell data, has allowed corporations including retail to get an even deeper look into your life from who your friends and family are to your age and other information you never gave to them, Mr Foster said.

“These companies who you’ve given just very little bits of information will now create a vast amount of data that paints a picture of who you are. They do it marketing purposes and they do so they can sell you things. But it creates an ecosystem of data that never used to exist.

“They can get information that tells them where you work, how much money you make, what kind of clothes you like to buy. And with all this personal information, they know more about you than even you know about yourself.”

More Coverage

Bosses OK to spy with laptop’s little eye

Joseph Lam

Data safety repository CDC in $1bn site upgrade

JARED LYNCH

Originally published as Data at risk just asking for Medibank quote