Medibank has confirmed a ransomware group has begun posting client data stolen from Australia’s largest health insurer on the dark web.

Hundreds of names, addresses, birthdates and ahm customers’ Medicare numbers were posted under “good-list” and “naughty-list” on a blog belonging to a ransomware group early on Wednesday.

Other released data includes phone numbers, email addresses, some health claims data, and in some cases, passport numbers for Medibank’s international students.

Following the leak, Medibank said it expected more files to be released on the dark web.

“The files [already released] appear to be a sample of the data that we earlier determined was accessed by the criminal,” Medibank said in a statement.

“We will continue to work around the clock to inform customers of what data we believe has been stolen and any of their data included in the files on the dark web and provide advice on what customers should do.”

Medibank said hackers might also attempt to contact customers directly.

Medibank CEO David Koczkar again “unreservedly” apologised to customers.

“This is a criminal act designed to harm our customers and cause distress,” he said.

“We take seriously our responsibility to safeguard our customers and we stand ready to support them.”

Medibank hackers make good on threat

Hackers had demanded a ransom to stop them from releasing the data, but Medibank said on Tuesday said it would not pay it because it would encourage further crime.

Shortly after midnight, the group posted the first lists.

“Looking back that data is stored not very understandable format (table dumps) we’ll take some time to sort it out,” they said early on Wednesday.

“We’ll continue posting data partially, need some time to do it pretty.”

The hackers also appeared to have revealed screenshots of recent private messages between themselves and Medibank representatives.

Tweet from @troyhunt

Medibank has previously confirmed almost 500,000 health claims were stolen by the hackers, along with personal information, when the unnamed group hacked into its system weeks ago.

Some 9.7 million current and former customers have been affected.

No credit card or banking details were accessed.

On Tuesday, the ransomware group posted to its blog that “data will be publish (sic) in 24 hours”.

“P.S. I recommend to sell (sic) medibank stocks.”

Medibank has advised customers to be alert for any phishing scams via phone, post or email.

“We knew the publication of data online by the criminal could be a possibility but the criminal’s threat is still a distressing development for our customers,” Mr Koczkar said on Tuesday.

Government advised against ransom payment

Home Affairs Minister Clare O’Neil lashed the hackers as “scumbags” on Wednesay and said Medibank’s decision not to pay a ransom to cyber criminals was in line with government advice.

She urged social media users not to share any of the leaked details.

“I know you will not do that because that would be enabling and supporting the scumbags who are at the heart of these crimes,” she said.

Medibank is certainly not alone in refusing to pay a ransom demand, with a recent report finding 19 per cent of Australian companies responded to ransomware attacks by paying the fee.

Mimecast’s 2022 State of Ransomware Readiness report found 20 per cent of companies were asked to pay between $500,000 and $999,999 for their information

Some 13 per cent of the businesses surveyed said the total cost of the ransomware attacks they’d experienced was between $1 million and $2 million.

At a Senate estimates hearing on Tuesday, Australian Federal Police commissioner Reece Kershaw told businesses to make sure they contacted authorities as early as possible if they suspected a possible data breach.

With the FBI helping the Australian Federal Police track down those behind the Medibank and Optus data breaches, Mr Kershaw said investigating would be long and complex.

“The longer it takes relevant agencies to be informed, the harder it is for perpetrators to be identified, disrupted or brought to justice,” he told senators.

Medibank said it was working with the Australian government, including the Australian Cyber Security Centre and the Australian Federal Police.

The AFP have also expanded Operation Guardian, a joint initiative with state and territory police set up in September to protect Optus customers following the telco’s data breach, to include protections for Medibank customers whose personal information has been unlawfully released online.

Medibank urged customers to be “vigilant” with online communications and transactions, including:

• Being alert for any phishing scams via phone, post or email
• Verifying any communications received to ensure they were legitimate
• Not opening texts from unknown or suspicious numbers
• Changing passwords regularly with ‘strong’ passwords, not re-using passwords and activating multifactor authentications on online accounts where available
• The company repeated that it would never contact customers asking for password or sensitive information.

Those who believe they have been affected by the Medibank hack should follow this link to find out what steps to take next.

-with AAP