Some of Virgin Australia’s frequent flyers have had their accounts locked, as the fallout from the Medibank data hack widens.

Thursday’s development followed the release of more sensitive data by hackers, as they confirmed they had demanded $1 for every one of the 9.7 million customer records stolen.

It also came as Queensland moved to tighten rules on driver’s licences following the Optus and Medibank breaches.

Medibank has refused to pay a ransom for the personal health data believed to have been stolen by ransomware group REvil.

On Thursday, it emerged that about 3000 Virgin frequent flyers had been caught in the Medibank breach.

“After being notified late [Wednesday], Virgin Australia is acting to protect a small number of Velocity frequent flyer membership numbers [that] may have been compromised as part of the Medibank cybercrime event,” a Virgin Australia Group spokesperson said.

“As a precautionary measure, we have locked the accounts of impacted members. We are notifying impacted members this morning and are in the process of creating new membership numbers for those members.”

The airline said affected customers would still be able to fly, access lounges and earn points while they waited for new numbers to be issued. They will not be able to redeem points or log in online until they get their new numbers.

Elsewhere, Premier Annastacia Palaszczuk said Queenslanders would need to quote two unique numbers on their driver’s licences to verify their identity to open a bank, internet, phone or utilities account.

The move to “two-factor” verification follows September’s Optus data breach, which prompted thousands of people to apply for new licences in recent weeks.

From Thursday, Queensland licences won’t be acceptable as a form of ID unless people quote the unique card number as well as the licence number.

Optus revealed the cyber attack had potentially exposed the personal data, including the driver’s licence numbers, of almost 10 million customers on September 23.

The Queensland government offered to replace the licence numbers of those caught up in the breach. It believes that could be almost 665,000 people.

The state transport department, which usually processes about 30 licences a week, has received more than 170,000 applications since September 28.

State Transport Minister Mark Bailey said the two-factor rules were due to be imposed next year, but had been brought forward.

“This extra security measure will mean the compromised licence number cannot be used for fraudulent activity on its own,” he said.

Mr Bailey said affected Optus customers who were yet to change their licence numbers could still do so for free.

Opposition transport spokesman Steve Minnikin said Queensland had to replace 10 times the number of licences as NSW because the government didn’t opt into a state-federal verification program on time.

He said the Queensland government didn’t implement the national Document Verification Service changes on September 1.

Medibank’s bleak warning

The Medibank hackers have started releasing personal data onto the dark web – with the health insurer advising customers to expect more releases.

“The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Medibank CEO David Koczkar said in a statement on Thursday.

“The release of this stolen data on the dark web is disgraceful … these are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the ransomware group’s actions were “abhorrent”.

“These acts are abhorrent. To post Australians’ sensitive health information on the dark web is very concerning,” she told Nine’s Today show.

“Right now, we need to support affected individuals.

“People whose highly sensitive health information was stolen and posted on the dark web will get the support they need.”

Medibank has set up links to mental health services on its website.

Elsewhere, federal minister Annika Wells reiterated the government’s advice was not to pay ransoms and make a police report.

“You do not pay the ransom,” she told Nine.

“You’re making the assumption that that is true and what we’re saying is that may not necessarily be the case – plenty of scumbags out there are going to try and make the most of this situation.”

Opposition cybersecurity spokesman James Paterson said there was no doubt affected Medibank customers will be very distressed.

“Unfortunately … this is the worst-case scenario,” he told ABC Radio, adding that companies need to take hacking threats seriously.

“If after Optus and Medibank they’re not taking it seriously, they need their heads read.”

Australian Federal Police are ramping up efforts to catch those behind the huge data breach and are co-ordinating with state and territory police to support people at risk of identity fraud.

Operation Guardian, which was set up to tackle the recent Optus hack, is being expanded to investigate the Medibank data theft.

-with AAP