A ransomware group has threatened to release the data of 9.7 million customers of Australian health insurance provider Medibank Private Limited. On Monday, Medibank said that it would not pay a ransom to attackers who had allegedly stolen sensitive data on 9.7 million present and former customers.
That gamble produced a response today, with the ransomware group issuing a 24-hour deadline for payment or seeing sensitive medical claims data released. Medibank now faces a possible class action from current and former customers, in what the health insurer has described as a distressing development. Medibank is one of Australia's largest private health insurers, covering over 3.9 million people and having 4,000 employees.
Medibank confirmed that almost 500,000 health claims were accessed and the personal information of both previous and present clients was exposed after when an unidentified gang broke into Medibank's system a few weeks ago.
While the ransomware organization responsible for the attack on Medibank has not yet been identified, the company has confirmed that the malicious activity it has seen on its network is consistent with ransomware activity.
On Monday, after Medibank declined to pay the ransomware gang, the attackers announced on its darknet site after midnight that "data will be publish in 24 hours."
The post's threat was not supported by any data samples. Also, the gang has not yet disclosed how much information it stole from Medibank's network, and it has not given any evidence to back up its claims.
David Koczar, the chief executive of Medibank, did not clarify whether the group was the same as the one the company had been in contact with, but he did call it a "distressing development" in a statement on Tuesday.
Koczkar said the amount asked by the extortionists – which he did not reveal – was "irrelevant." Even if Medibank paid, there's no guarantee that the data will be deleted, he said.
"Customers should remain vigilant. We knew the publication of data online by the criminal could be a possibility, but the criminal's threat is still a distressing development for our customers," he said.
"This is horrendous, but not unsurprising if you look at ransomware like a business," cybersecurity expert Troy Hunt said on Twitter on Tuesday.
"If they *don't* dump the data publicly, what message does that send to future 'customers'?"
Customers and Medibank at Risk
The ransomware gang REvil, which was thought to have been shut down in October of last year, is linked to the website where the Medibank threat was posted. The group's website was revived in April of this year.
REvil "was brash and often taunted its victims," according to threat expert Brett Callow of Guardian Australia. So, the post's inclusion of a link to ABC comedian Mark Humphries' satirical film about the Medibank data theft is in keeping with their style.
Koczkar said on Monday that paying a ransom may make Australia "a bigger target" for data thefts by providing criminals with an incentive.
"Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," he said.
The decision by Medibank not to pay a ransom to online thieves was in accordance with government instructions, according to home affairs minister Clare O'Neil.
Additionally, Medibank stated that it believes the cybercriminals responsible for the October attack did not gain access to financial data (such as credit card and banking information), primary identification documents (such as driver's licenses), or health claims information for additional services (like dental, physio, optical and psychology).