The government has sanctioned a Russian man for his role in the Medibank data breach that compromised the personal details of more than 10 million Australians.

In 2022, at least 9.7 million Medibank customers had information including names, dates of birth, addresses and phone numbers compromised.

Much of the personal information was published on the dark web after the hack in October 2022.

On Tuesday, the Albanese government used its cyber sanction powers for the first time to take aim at Russian citizen Aleksandr Ermakov.

It means it will be a criminal offence to provide assets, overhaul, or use or deal with Ermakov’s assets, including through cryptocurrency wallets or ransomware payments. Breaches will be punishable with up to 10 years in prison.

Deputy Prime Minister Richard Marles said publicly naming Ermakov would have an “enormous impact on his activities”. The sanctions include a travel ban.

Ermakov is a member of Russia’s REvil hacker group, which has been targeted by the FBI and Russia’s Federal Security Service.

Home Affairs Minister Clare O’Neil called the Medibank breach “the single most devastating cyber attack that we have experienced as a nation” and took aim at the “scumbags” responsible.

“This is a very important day for cyber security in our country,” she said in Canberra.

“We all went through it. Literally millions of people having personal data about themselves, their family members, taken from them and cruelly placed online for others to see.

“These people are cowards and they’re scumbags.”

O’Neil said it was the first time the Australian government had imposed such cyber sanctions – but it wouldn’t be the last.

“Today the Australian government is saying that when we put our minds to it, we’ll unveil who you are, and we’ll make sure you are accountable,” she said.

There are several Russian cyber gangs at the heart of the threats Australians face, according to the government.

The sanctions imposed are part of Australia’s efforts to debilitate these organisations

Many of them were dynamic and worked in clusters, Australian Cyber Security Head Abigail Bradshaw said, so naming and identifying cybercriminals would hurt their efforts.

Foreign Affairs Minister Penny Wong said the sanctions sent a message.

“There are costs and consequences for targeting Australia and targeting Australians,” she said.

“The sanctions are part of Australia’s efforts to ensure that we uphold the international rules-based order.”

Opposition cyber security spokesman James Paterson said the Coalition welcomed the sanctions but criticised the length of time between the data breach and the penalties being imposed.

“What the Albanese government has not explained is what has taken them so long,” he told Sky News.

“In December [2022], the Department of Foreign Affairs and Trade acknowledged that they provided advice to the Minister to do their sanctions, and in May 2023, the Australian Signals Directorate admitted that they had provided technical assistance for an attribution for this to happen.”

Paterson said while it was unlikely Russia’s government would penalise Ermakov, work was needed to minimise the likelihood of further cyber attacks.

“Cyber sanctions are important though, because what we’re trying to do is shape international norms, we’re trying to put a cost to this behaviour,” he sad.

“We cannot just click our fingers and make this go away.”

– with AAP