Hacker threatens to leak Australians’ medical data in 24 hours

A cybercriminal or cybercrime organisation has threatened to leak customer data from Australia’s largest health insurer within 24 hours after the company refused to cooperate with its extortion attempt.

Australia’s Medibank said on Tuesday it was aware of the threat after announcing the previous day it would not pay a ransom for the personal information of almost 10 million current and former customers.

“We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers,” Medibank Chief Executive Officer David Koczkar said in a statement on Tuesday.

Koczkar urged customers to remain vigilant and warned they could be contacted by the criminal directly.

Medibank reported the cyberattack to authorities on October 19 when the company halted trading of its shares. The insurer initially said 4 million customers had been affected before this week revising the figure to 9.7 million.

On Monday, a blogger using the name “Extortion Gang” posted a message on the dark web threatening to publish the hacked data within 24 hours and recommending people sell Medibank shares.

Koczkar said the company had consulted with cybercrime experts before concluding that paying the ransom would not ensure the return of customers’ data and could put “more people in harm’s way by making Australia a bigger target”.

Australia has been hit by a series of recent cyberattacks, including an intrusion that compromised the personal details of up to 10 million customers of the country’s second-biggest telecom. At least eight companies have reported cybersecurity breaches since September, and a government report last week suggested the country records a cybercrime every seven minutes.