CANBERRA, Australia — Extortionists dumped stolen client records relating to pregnancy terminations on the dark web on Thursday in their latest effort to pressure Australia’s largest health insurer to pay a ransom.
The cybercriminals began dumping customer records on Wednesday including treatments for HIV and drug addiction after Medibank this week ruled out paying a ransom for the return of the hacked data.
The criminals, who used the name “Extortion Gang,” on Thursday posted that they had demanded $9.7 million — $1 for the records of each of the 9.7 million current and former Medibank customers that were stolen.
Most concerning was the theft of health claims for almost 500,000 customers that include diagnoses and treatments.
Medibank CEO David Koczkar condemned the release of Thursday’s tranche of data as “disgraceful.”
“The weaponization of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Koczkar said in a statement.
Cybersecurity Minister Clare O’Neil described the targeting of women who had terminated pregnancies as “morally reprehensible.”
“Yesterday, I indicated to the Parliament that the consequences of the Medibank hack were likely to get worse, and today those fears have been realized,” O’Neil told Parliament.
“And I want to say, particularly to the women whose private health information has been compromised overnight, as the minister for cybersecurity but, more importantly, as a woman, this should not have happened,” she added.
Medibank and government services were standing ready to support all customers in need even if a “large data dump occurs,” O’Neil said.
The extortionists have warned that the dumps will continue daily.
Cybersecurity expert and Medibank customer Nigel Phair spoke of his frustration at not knowing how much of his personal data had been stolen.
“You just don’t know what’s been lost of your own details: Is it your name, your date of birth, is it your address, is it everything and more?” Phair told Australian Broadcasting Corp.
Medibank had failed to adequately address basic risk management questions on what data was stored, where it was stored, who had access and how that data was accessed, Phair said.
“If they’d done that competently beforehand, and put appropriate controls (in place), this wouldn’t have happened,” Phair said.