A cybercriminal individual or group demanding a ransom has threatened to release Medibank client data as Australia's largest health insurer faces a possible class action over the hacking of sensitive information for 9.7 million current and former customers.
Medibank has confirmed almost 500,000 health claims were accessed and the personal details of former and current customers were exposed when an unnamed group hacked into its system weeks ago.
Around midnight, an individual or group posted a ransom demand to its dark web blog that "data will be publish [sic] in 24 hours".
"P.S. I recommend to sell medibank [sic] stocks."
By the close of trade on Tuesday, Medibank shares were down around 1.8 per cent at $2.78, having traded even lower earlier in the session amid the threats of the data leak and potential class action lawsuits.
UNSW cybersecurity expert, Professor Richard Buckland, said it is impossible to be sure if the threat is genuine.
"We can't know for sure that it is the hackers that have posted it, because no data was posted with it, but it looks very plausible," he told ABC News.
"It's exactly what we're expecting once they were told they weren't going to be paid the ransom.
"The next step for them in this business is to then release the data — if they don't release the data they're not able to make future ransom threats."
Cybersecurity expert Tony Hunt agreed with that assessment.
"This is horrendous, but not unsurprising if you look at ransomware like a business," Mr Hunt posted.
"If they *don't* dump the data publicly, what message does that send to future 'customers'?"
Derivative attack?
However, Professor Buckland said it was also possible that this threat was an act of attempted share market manipulation.
"There is a possibility, of course, that this announcement that the data's going to be released isn't from the group that has the data, but is instead some sort of what we call a derivative attack," he added.
"In an attempt to depress the share price someone may have short sold Medibank — sold more than they have, wait for the share price to drop after this announcement, after the threat, and then buy it back — it's a way of actually making more money than the ransom sometimes."
Henry Jennings, a market strategist and commentator with Marcus Today, said that if the hackers were motivated by short-selling Medibank then they have already had a big payday.
"If you were in that business of shorting shares, then you've already done pretty well," he said.
"The stock price has fallen from around $3.60 to around $2.75 at the moment, so a lot of that damage has been done already.
"Shorting is basically when you sell shares that you don't own, on the basis that you buy them back at a lower price and thus make a profit."
'Distressing development'
The company released a statement this morning noting that it was aware of media reports of the "purported threat" to released hacked customer data.
"Customers should remain vigilant," said Medibank chief executive David Koczkar in the statement.
"We knew the publication of data online by the criminal could be a possibility, but the criminal's threat is still a distressing development for our customers.
"We unreservedly apologise to our customers. We take seriously our responsibility to safeguard our customers and support them.
"The weaponisation of their private information is malicious, and it is an attack on the most-vulnerable members of our community."
On Monday, the Medibank boss said that paying a ransom could make Australia a bigger target for data theft by giving criminals an incentive.
"Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," Mr Koczkar said.
Home Affairs Minister Clare O'Neil said Medibank's decision not to pay a ransom to cyber criminals was in line with government advice.
However, Professor Buckland said given the sensitive medical data involved in this case the argument for paying the ransom was perhaps more compelling.
"Personally, I'd have been very tempted to pay," he said.
"I think it's a very bad thing to do, but Australian companies usually do pay the ransom."
Appearing at a Senate estimates hearing on Tuesday, Australian Federal Police commissioner Reece Kershaw fired a warning at businesses to ensure they contacted authorities as early as possible when a data breach might be occurring.
With the AFP launching operations to tackle both the Medibank and Optus data breaches, Mr Kershaw said the long and complex investigations would use significant resources.
"Apart from sending a warning to cyber criminals that the AFP will relentlessly pursue them, I also have a message to business: Please alert authorities immediately when a data breach is suspected," he said.
"It's like any crime scene. The longer it takes relevant agencies to be informed, the harder it is for perpetrators to be identified, disrupted or brought to justice."
Medibank class action looming
Meanwhile, two law firms — including one behind a successful case involving a NSW Ambulance data breach — said they believed Medibank betrayed customers and breached the Privacy Act by not stopping the hack.
"Medibank has a duty to keep this kind of information confidential," Bannister Law and Centennial Law said in a statement late on Monday.
"This latest data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank and ahm have failed policyholders in these circumstances."
The law firms will investigate the terms of the contracts the medical insurance provided to customers and whether damages are appropriate.
No case has yet been filed with a court.
The hacker accessed the health claims of about 160,000 Medibank customers, about 300,000 claims from customers of offshoot ahm and about 20,000 international customers.
Names, dates of birth, address, phone numbers and email addresses were also accessed, raising concerns about future identity fraud.
No credit card or banking details were accessed.
Medibank has urged its customers to be vigilant with all online communications and transactions, including the risk of phishing scams, texts or emails from unknown senders and with changing passwords.
The company reiterated that it would never contact customers and ask for password or other sensitive information.
Customers are advised to call the company with any further enquiries on 12 23 31 for Medibank and international customers, 13 42 46 for ahm customers and 1800 081 245 for My Home Hospital patients.
ABC/AAP
