Stolen health records for millions of Australians have been released on the dark web after hackers threatened 24 hours earlier to do just that. Last month, unknown hackers demanded a ransom from Medibank, a private insurer in Australia, which the company refused to pay. The hackers, who claimed to have spent a month poking around Medibank’s systems, have published what they called ‘naughty’ and ‘nice’ lists of health records, with the ‘naughty’ list including people who have sought treatment for things such as addiction and eating disorders. And they claim they have only just started releasing the stolen information. The hackers have also published emails they sent and received with Medibank while negotiating the ransom. The emails, if authentic, show the hackers declining to be named other than to say they belong to a “partner group.” Security researchers named the group BlogXX, which is a partial name of the onion address where the stolen data was posted. Surprisingly, the domain was run by the Russian-based REvil ransomware gang, although it is unclear if some of the hackers are the same. In one of the email exchanges published by the hackers, a Medibank representative asks how they know the hackers will actually delete the data if they pay the ransom. “We are operating, even if it is not legal, and we are concerned about our reputation. This is the key to payments,” reads the hacker’s response. G/O Media may receive a commission lightsaber hum SabersPro For the Star Wars fan with everything. These lightsabers are powered by Neopixels, LED strips running inside the shape of the blade that allow for adjustable colors, interactive sounds, and changing motion effects while dueling. “We’re interested in getting money, not destroying your company,” the hackers continue. Whatever their intent, these hackers have now released information that could be used to destroy the lives of normal people who may be struggling with any spectrum of mental health and addiction issues. Medibank declined to comment on the authenticity of the images the hackers posted in an email to Gizmodo on Wednesday morning. To make matters even more complicated, Medibank had no cyber insurance despite being an insurance company. The company stands to lose tens of millions of dollars, according to some estimates, and lawsuits are already in the works. The thieves first published a threat in October to release sensitive data, including detailed health information, involving high-profile people in Australia, including politicians, actors and activists. The threat was in broken English, leading many people to assume that the hackers are not from an English-speaking country. Hackers even spell the city of Sydney as ‘Sidney’ in their email exchange with Medibank. While Medibank has about 3.9 million current customers, the hacked data includes information on about 10 million victims because it also includes former customers, according to Australia’s ABC News. The data has not yet reached the open web, with the only way to access the information being the so-called dark web. “Like millions of other Australians, my family was caught up in the Medibank breach and today we learn that our personal data is on the dark web. Our worst data breach nightmares are playing out in real time as our existing data protection laws and systems are no match for hackers,” David Shoebridge, a senator from the Australian Greens political party, tweeted on Wednesday. Medibank has been criticized for its slow response to the hack, even initially announcing that while there may have been a breach, the insurer did not believe the hackers were able to steal sensitive information. This turned out to be terribly wrong. The dark website hosting stolen Medibank data with a message from the hackers (edited by Gizmodo) Screenshot: BlogXX Australia is a rich country with plenty of resources for issues like cyber security, but people down under have struggled with protecting sensitive data for years, partly because of a brain drain in the tech sector that sees skilled workers go overseas for better jobs. fees. This year has been particularly bad for Australia, with other high-profile data thefts such as the recent breach of telecoms giant Optus. “Just want to thank @medibank. So far I have not received a single tip or information from them regarding the hacking of my family’s private health data. We pay their exorbitant premiums for 20 years FFS. Worse than @Optus and that’s saying something,” one customer tweeted. The Australian Federal Police (AFP), the US equivalent of the FBI, held a press conference on Wednesday about what it called Operation Guardian, encouraging anyone who may come into contact with extortion threats in the future. “For customers affected by this latest breach, don’t be shy about contacting the police via ReportCyber if someone contacts you online, by phone or via SMS threatening to release your data unless payment is made,” said the assistant AFP commissioner for Cyber Command. Justine Gough said in a statement posted online. “Extortion is a crime and those who misuse stolen personal data for financial gain face up to 10 years in prison. Operation Guardian will actively monitor the clean, dark and deep web for the sale and distribution of Medibank Private and Optus data,” Gough continued.
