Cyber Extortionists Release Sensitive Medical Records in Ransomware Attack
Cybercriminals are ramping up the pressure for Australian health insurer Medibank to pay a hefty ransom for customer records stolen through a breach. The self-named “Extortion Gang” dumped stolen client records related to pregnancy terminations, HIV, and drug addiction treatments on the Dark Web this week, the Associated Press reported.
Medibank is holding firm, refusing to pay out any ransom for the data, citing expert advice and government guidelines, according to ZDNet. Medibank CEO David Koczkar called the theft and illegal release of the information online disgraceful, adding that “the weaponization of people’s private information in an effort to extort payment is malicious and an attack on the most vulnerable members of our community.”
Medibank urged the public to not download the data.
Find out your top seven security news stories, delivered to your inbox weekly, and powered by ASIS International.
The insurer first announced the breach on 13 October, later disclosing that the attack compromised the personal data of 9.7 million current and former customers, including 1.8 million international customers. The hackers did not access primary identity documents like driver’s licenses or credit card information, but they were able to access names, dates of birth, addresses, phone numbers, and email addresses, ZDNet reported.
For 480,000 customers, health claims data—including locations where they received medical services and codes linked to diagnoses and procedures—were also leaked. Australian Cybersecurity Minister Clare O’Neil described the targeting of women who had terminated pregnancies as “morally reprehensible,” the AP reported.
The cybercriminals posted today that they demanded AU$9.7 million in ransom money—$1 for each customer whose records were stolen. The group has warned that the dumps of data will continue daily unless it receives payment.
The publication of consumers’ private data could cost Medibank dearly—if customers decide to sue for damages, the insurer could be on the hook for AU$700 million ($450 million USD) in compensation and system fixes, if not more, Bloomberg reported.
In October, O’Neil warned Australians to expect more cyberattacks in the future.
“This is the new world that we live in,” she said. “We are going to be under relentless cyberattack, essentially from here on in. And what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organizations to protect customer data, and also for citizens to be doing everything that they can.”
The Australian government has been focusing on cyberattacks as well. Legislation to increase financial penalties for data privacy violations passed on 9 November, pushing maximum fines for serious or repeated breaches from AU$2.22 million to AU$50 million, three times the value of any benefit obtained from the misuse of the data or 30 percent of the company’s adjusted turnover in the relevant period—whichever is highest.
Extortion is a frequent escalation in ransomware attacks. Cybercrime groups lock systems before threatening to publicly release data unless the victim pays a ransom, CISA reported. This affected the Los Angeles Unified School District and video game developer Rockstar Games in Sepember. In the latter attack, cybercriminals leaked hacked footage from an upcoming Grand Theft Auto game when they were not paid a ransom. Some malicious actors have even posed as legitimate penetration testers to gain easier access to their victims’ data.
Ransomware is the “biggest, noisiest threat we’ve seen in the world from a cybersecurity perspective,” said Jon Clay, vice president of threat intelligence at Trend Micro, in a presentation at GSX 2022. “Once you’re infected, you know it.”
And threat actors only play this card—of notifying their victims that their data has been compromised, is encrypted, and might be published online if they fail to pay up—when they’ve achieved their other goals, such as stealing intellectual property or obtaining and selling company credentials, the GSX Daily reported.
“Ransomware is the last revenue opportunity for these groups,” Clay added. “The likelihood they’ve been in your network for days or weeks is high.”
Negotiations over ransoms are typical, but paying the ransom is not recommended, he added.
“Every time you pay a ransom, you’re funneling more to these groups to do ransomware activities against others,” Clay explained. “But you, as an organization, need to make that decision.”
Nearly four out of five breaches can now be attributed to organized crime, with external actors more than four times as likely to cause a breach at an organization than an internal actor. https://t.co/uCWOV7FKXq— Security Management (@SecMgmtMag) October 7, 2022
Medibank’s CEO Koczkar seems to agree.
“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published," he said in a statement earlier this week to the Australian Stock Exchange. "Paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.
“It is for these reasons we have decided we will not pay a ransom for this event," he added. "This decision is consistent with the position of the Australian government.”