Hackers Threaten to Sell Stolen Medibank Data, Seek RansomAustralian Insurance Firm 'Working Urgently' to Verify Theft Claim
A ransomware group claiming to have stolen personal data from Australian insurer Medibank is demanding payment, the company announced just days after assuring customers that it had seen no evidence of data theft stemming from a cybersecurity incident it detected on Oct. 12.
The company, Australia's largest provider of private health insurance, said it is halting trading of its shares in the Australian Stock Exchange for the second time in as many weeks as the fallout from its hacking episode grows.
"Medibank is working urgently to establish if the claim is true, although based on our ongoing forensic investigation we are treating the matter seriously at this time," reads the company's newest public update. Customers may experience temporary disruptions to online services as back-end systems are hardened, it added. The company is working with the Australian Signals Directorate’s Australian Cyber Security Centre and the Department of Home Affairs, Minister for Home Affairs Clare O'Neil disclosed in a statement.*
Medibank first disclosed on Oct. 13 that it had found "unusual activity" on its network the day before, leading it to pull customer-facing systems offline and suspend trading for the rest of the week. That activity was "consistent with the precursor to a ransomware event," the company said Monday in a statement in which CEO David Koczkar emphasized that the company had found no evidence of attackers having exfiltrated customer data (see: Australian Insurer Medibank Says Incident Was Ransomware).
Lack of evidence in the initial stages of a cyberattack investigation is not rare. It can take weeks, if not months, to get a comprehensive view of an incident.
Hackers reportedly threatened to sell 200 gigabytes worth of sensitive Medibank customer information, including health records and credit card numbers, reports The Sydney Morning Herald. The newspaper says it obtained the ransom note, which threatens to email 1,000 "most prominent" Medibank customers with data taken from the insurer's system. "Also we've found people with very interesting diagnoses. And we'll email them their information," the ransom note reportedly says.
Medibank did not confirm these claims to Information Security Media Group.
Fearing a sell-off of the company's shares, Medibank requested the Australian Securities Exchange to impose a trading halt on its shares Wednesday morning before announcing the recent update on the cyber incident.
The last trading halt was imposed on Oct.13 and was lifted this Monday. The company ended Monday with shares down 3.4% (see: Australian Insurer Back Online After Cyberattack).
*Update Oct. 19, 2022 22:33 UTC: Adds statement from Clare O'Neil, minister for home affairs.
With reporting from ISMG's Jeremy Kirk in Australia.