Medibank on Thursday confirmed that the threat actors behind the devastating cyber attack have posted another dump of data stolen from its systems on the dark web after its refusal to pay a ransom.
“We are in the process of analyzing the data, but the data released appears to be the data we believed the criminal stole,” the Australian health insurer said.
“While our investigation continues there are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identity and financial fraud. The raw data we have analyzed today so far is incomplete and hard to understand.”
The leak comes almost a month after the company acknowledged that personal data belonging to around 9.7 million of its current and former customers were accessed following a ransomware incident in October 2022.
This includes 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers. Also accessed were health claims for about 160,000 Medibank customers, 300,000 ahm customers, and 20,000 international customers.
The latest dataset, which has been uploaded in the form of six ZIP archive files, includes health claim information, although Medibank noted much of the data is fragmented and that it’s not combined with customer names and contact details.
The perpetrators of the attack are suspected to be located in Russia and connected to the REvil ransomware group, which staged a return earlier this May.
“Our intelligence points to a group of loosely affiliated cyber criminals, who are likely responsible for past significant breaches in countries across the world,” Australian Federal Police (AFP) Commissioner Reece Kershaw said last month.
The development also coincides with the Office of the Australian Information Commission (OAIC) announcing an investigation into Medibank’s data handling practices in connection with the security incident.
A similar probe is already underway with telecom giant Optus, which suffered a breach in late September 2022, to determine if the company “took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorized access, modification, or disclosure.”
The mega breaches have also prompted the Australian government to pass new legislation that can result in companies facing up to AU$50 million in fines for repeated or serious data breaches.
