Medibank hack: messages hackers sent to private health boss as private data sold on dark web

Read the sinister messages hackers sent to Medibank boss as the personal details – and sensitive medical conditions – of millions of customers is posted on the dark web

  • Hackers launched a cyber attack on health insurance firm Medibank last month
  • They demanded Medibank pay a ransom or risk their clients’ data being leaked
  • Medibank tried to stall and trick hackers into showing what they really had
  • Group released info of HIV-positive patients and those with drug addictions
  • Other customers also had their names, addresses and birth dates leaked

Medibank and Russian hackers spent weeks discussing threats to leak the private information of millions of Australians to the dark web before the cybercriminals pulled the trigger. 

Hackers began leaking Medibank customers’ personal information, including details relating to people who are HIV-positive, have drug addiction issues and mental health diagnoses on Wednesday.

Whatsapp messages between the clandestine group and CEO David Koczkar were also released. 

The messages and emails published by the hackers, known as Blogxx and REvil, revealed how Medibank bosses stalled as they tried to work out what data was at risk and who had it.

Medibank tried to trick Russian hackers into showing their hand and revealing what information they really had as they tried to determine the risk, before refusing to pay any ransom

Medibank tried to trick Russian hackers into showing their hand and revealing what information they really had as they tried to determine the risk, before refusing to pay any ransom

Pictured is a message purportedly sent from Medibank to the hackers that stole its data

Pictured is a message purportedly sent from Medibank to the hackers that stole its data

Medibank's response to Russian hackers saying it would not pay the ransom is pictured

Medibank’s response to Russian hackers saying it would not pay the ransom is pictured

Medibank reported a ‘cyber incident’ on October 13 and took the data and policy systems of its budget provider, AHM, and its international student division offline. 

The hacker group made the first move, directly contacting Mr Koczkar, on WhatsApp on October 18, The Australian reported.

‘Hi! As your team is quite shy, we decided to make the first step in our negotiation,’ the message said.

The hackers outlined their plans to sell Medibank’s database to ‘third parties’ in their opening salvo.

It identified a selection of Medibank customers it had put on a ‘naughty list’ including ‘[people with] most followers, politicians, LGBT activist, drug addictive people etc’.

Medibank representatives tried repeatedly to get the hackers to show their hand to determine the risk.

The hackers had demanded a ransom to stop them from releasing the data, but Medibank earlier this week said it would not pay it (stock image)

More than 100 Medibank patients battling addiction had their information leaked on a 'naught-list' file. The leak included their names, addresses and birth dates

More than 100 Medibank patients battling addiction had their information leaked on a ‘naught-list’ file. The leak included their names, addresses and birth dates

‘We need to be sure you’re the person who says they have our data [so] can you tell us all the addresses and phone numbers you sent messages to?’

The hackers responded ‘Ok we wait’. 

Medibank tried again, saying ‘Please tell us phone numbers and emails you used, so we know which ones are really you.’ 

The hackers sent a full listing of stolen files, to which Medibank replied: ”We need time to review, we will get back to you’.

The company then disclosed to the Australian stock exchange that hackers had contacted it to ‘negotiate’ over 200 gigabytes of customer data stolen from Medibank’s systems.

That drew a sinister response from the hackers, who said: ‘Judging by your public statements, you are not in the mood for negotiations’.

On October 25 they gave the company ‘one day’ to pay a ransom before promising to ‘do everything in our power to inflict as much damage as possible for you, both financial and reputational’.

The private data of Medibank customers battling alcohol and drug addiction was leaked by hackers onto the dark web on Wednesday morning (stock image)

The private data of Medibank customers battling alcohol and drug addiction was leaked by hackers onto the dark web on Wednesday morning (stock image)

Pictured is important advice for people affected by the Medibank and AHM data hacks

Pictured is important advice for people affected by the Medibank and AHM data hacks

Negotiations broke down on November 2, before Medibank outright refused to pay a ransom three days later.

On Wednesday, November 10, hackers began leaking the private data of selected Medibank customers.

The cyber attack was launched on Australia’s largest private health insurer last month, putting the sensitive personal information of its 9.7million current and former customers at risk.

The group posted the ‘naughty-list’ file on the dark web Wednesday morning that contained more than 100 patients who have been treated for alcohol abuse, cannabis, cocaine or opioid addiction, HIV and mental health issues.

That data on the naughty list also included patient names, personal addresses, birth dates and health insurance details.

A ‘good-list’ was also published on the dark web that featured the same private information of other Medibank customers. 

Wednesday’s data dump contained the personal information of 198 patients in total.

The hackers posted a bizarre meme (pictured) before they threatened to release the personal data of millions of Australians unless Medibank paid up, which it didn't

The hackers posted a bizarre meme (pictured) before they threatened to release the personal data of millions of Australians unless Medibank paid up, which it didn’t

Medibank has promised to tell customers what info it believes has been stolen and posted on the dark web and to give advice on what to do if you have been compromised. 

‘The files appear to be a sample of the data that we earlier determined was accessed by the criminal,’ the company said on Wednesday.

The hackers are expected  to continue leaking the private information of more Medibank customers over the coming days.

Prime Minister Anthony Albanese said government security agencies are working with Medibank following the latest leak. 

He is one of the customers affected by the leak. 

‘The company has followed the guidelines effectively, the advice, which is to not engage in a ransom payment,’ Mr Albanese said.

Prime Minister Anthony Albanese (pictured), who is one of the customers affected by the leak, said government security agencies were working with the health insurer

Prime Minister Anthony Albanese (pictured), who is one of the customers affected by the leak, said government security agencies were working with the health insurer

Read the sinister messages Russian hackers sent to Medibank

Russian hackers (to Medibank chief executive David Koczkar): 

‘Hi! As your team is quite shy, we decided to make the first step in our negotiation.

‘We have 200gb sensitive data from your RedShift Cluster. We offer to start negotiations in another case we will start realizing our ideas like:

  1. Selling your Database to third parties
  2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, LGBT activist, drug addictive people etc)

‘Also we’ve found people with very interesting diagnoses.’

[Hackers then send ‘naughty list’ of 100 customer’s details to Medibank]

Medibank to Russian hackers

‘Hello. We received your message. We want to talk with you, but need to be sure you’re the person who says they have our data.

‘Can you tell us all the addresses and phone numbers you sent messages to?’

Russian hackers to Medibank:

‘Ok, we wait.’ 

Medibank representative to hackers:

‘We want to talk, but you send different messages to different people,” the representative wrote in an email purportedly sent on October 20. 

‘We think some of these messages don’t come from you. Please tell us phone numbers and emails you used, so we know which ones are really you.

‘You also can not send data to other people when we try talking with you. We need to confirm these things please. We try to make this work.’

Russian hackers (to Medibank):

Full listing of stolen files sent to Medibank

Medibank to Russian hackers:

‘Received. We need some time to review. We will get back to you.’

Russian hackers to Medibank (after reading media statement):

‘Judging by your public statements, you are not in the mood for negotiations and we have nothing to do but start posting data and also inform users that their data has been compromised and this is purely the fault of your company. 

‘In addition to informing, we will also drop the link to a public source where the data is published so that it would be easier for them to form a lawsuit, we will regularly post data every day and support the news feed.

‘But we are also ready to give you a day to think about how you should be better. And we advise you to proceed to the discussion of the price of demand. In the event of a negative outcome of the negotiations for us, we will do everything in our power to inflict as much damage as possible for you, both financial and reputational.’

Medibank to Russian hackers: 

‘We still want to work with you to protect our customers data. We don’t know who you are, so it’s very hard for you to trust. 

‘How do you we know you will destroy and never publish our customers’ data?’

Russian hackers to Medibank:

Negotiations have reached ‘a dead end’.

Medibank to Russian hackers:

‘After considering all actions, we have made a decision that we cannot pay your demand.

‘It is also Australian government policy that ransoms should not be paid. We understand the impact this may have.’

Source: The Australian 

Advertisement

Former tennis champion and Channel 9 broadcaster Todd Woodbridge is one of those who have been targeted.

The 51-year-old, who suffered a mild heart attack last month, got five calls in a row from the same number yesterday.

‘They ended up leaving me a message and the message was that I had bills to pay from the hospital stay that I had,’ he told Heidi Murphy on 3AW

‘They knew the hospital that I had stayed in and they wanted me to ring back and give me an account number and wanted me to pay over the phone.’

The Australian Federal Police has expanded its joint initiative with state and territory police set up to investigate September’s Optus data breach to also target the Medibank hack.

‘Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,’ AFP Assistant Commissioner Cyber Command Justine Gough said.

‘This is not just an attack on an Australian business. 

‘Law enforcement agencies across the globe know this a crime type that is borderless and requires evidence and capabilities to be shared.’

Medibank apologised again to clients past and present. It advised customers to be alert for any phishing scams via phone, post or email.

Medibank data hack timeline

October 13: Medibank took the data and policy systems of its budget provider, AHM, and its international student division offline after a ‘cyber incident’  

October 14: Medibank said it had restored its systems and said it was ‘still responding’ to the incident

October 19: The company disclosed to the Australian stock exchange that hackers had contacted it to ‘negotiate’ over 200 gigabytes of customer data stolen from Medibank’s systems 

October 26: Medibank confirmed the hackers behind its ‘devastating’ data breach managed to access all of its customers’ private health records 

October 27: It emerged that Medibank faced costs of up to $30million after it was revealed it had no insurance to protect itself from a cyber attack

November 8: The hackers threatened to expose the personal data of millions of Australians unless Medibank paid up within 24 hours. The company refused to pay, saying ‘you just can’t trust a criminal’

November 9: The ransomware group began posting client data stolen from Australia’s largest health insurer on the dark web

Source

Related posts