Following its reluctance to pay a ransom, Medibank revealed on Thursday that the threat actors responsible for the disastrous cyberattack have disclosed another data dump of information taken from its systems on the dark web.
The Australian health insurance said, “We are in the midst of reviewing the data, but the data released looks to be the data we assumed the hackers stole.”
“There are currently no indications that financial or banking information has been stolen while our investigation is ongoing. Additionally, the stolen personal information by itself is insufficient to support financial and identity theft. We have only examined a small portion of the raw data today, and it is confusing.”
The disclosure comes over a month after the business disclosed that, as a result of a ransomware incident in October 2022, personal information belonging to about 9.7 million of its current and past customers was accessed.
Included in these are 5.1 million Medibank clients, 2.8 million ahm clients, and 1.8 million foreign clients. Health claims for around 160,000 Medibank clients, 300,000 ahm consumers, and 20,000 overseas customers could also be accessed.
The most recent dataset, which was uploaded as six ZIP archive files, contains information about health claims, though Medibank noted that much of the data is fragmented and hasn’t been integrated with client names and contact information.
The attackers are thought to be from Russia and associated with the REvil ransomware organization, which earlier this May mounted a comeback.
Australian Federal Police (AFP) Commissioner Reece Kershaw stated last month that “our intelligence leads to a group of loosely related cybercriminals, who are likely responsible for past big breaches in nations across the world.”
Additionally, the inquiry of Medibank’s data handling procedures in relation to the security incident has been announced by the Office of the Australian Information Commission (OAIC), which also happens to be a development at the same time.
The telecom giant Optus is already the subject of a similar investigation to see if the organization “took reasonable efforts to secure the personal information they stored against misuse, interference, loss, unauthorized access, modification, or disclosure” after a breach in late September 2022.
The large-scale data breaches have also caused the Australian government to enact new legislation, which can result in businesses being fined up to AU$50 million for major or persistent data breaches.