Australia: Hacker demands $10m to stop leaking locals’ medical records

A cyber-extortionist has demanded almost $10 million to stop leaking the medical records of Australians caught up in one of the country’s worst cyberattacks.

In a message posted on the dark web early on Thursday morning, the hacker said it was demanding $1 from Medibank, Australia’s largest private health insurer, for each of the 9.7 million customers affected in an enormous data breach last month.

The cybercriminal or criminal organisation also posted information purporting to link clients to their abortions, after earlier this week releasing a “naughty list” appearing to show customers who received treatments for addiction, mental health issues and HIV.

Local media have linked the dark web forum used to post the hacked data to the crime group REvil, which Russian authorities said they shut down earlier this year at the request of the United States.

Medibank CEO David Koczkar on Thursday condemned the hacker’s actions as “disgraceful” while reiterating an apology to customers.

“We remain committed to fully and transparently communicating with customers and we will be contacting customers whose data has been released on the dark web,” Koczkar said.

“The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.”

Medibank has refused to pay the ransom, citing advice from cybercrime experts that doing so would not ensure the return of customers’ information and could put “more people in harm’s way by making Australia a bigger target”.

The Australian Federal Police, which is investigating the cyberattack, has warned that downloading or even just accessing the data could be a criminal offence.

Home Affairs Minister Clare O’Neil has described the hackers as “scummy criminals”.

“I cannot articulate the disgust I have for the scumbags who are at the heart of this criminal act,” O’Neil told parliament on Wednesday.

The cyberattack, which first came to light last month, is the latest in a series of large data breaches to rock Australia.

Optus, Australia’s second-largest telecom provider, announced in September the data of up to 10 million customers had been compromised in a cyberattack against the company.