The recent Medibank breach resulted in millions of health data records being leaked onto the dark web as the company chose to ignore ransom payment demands. Around 9.7 million documents have been stolen, but so far only a small fraction have been released by the criminals.
The incident, combined with a recent series of similar massive data breaches, has prompted the Australian government to discuss the possibility of banning ransomware payments. It would be a major break with the status quo, as nations have largely avoided payment bans at the national government level.
Massive data breaches prompt discussion about banning ransom payments
Although the data of 9.7 million current and former customers was stolen, it is still unclear how detailed the average record was. Some records are known to have included health insurance numbers, passport numbers and visa details, and around half a million health claims were taken. However, some records may have been limited to basic contact information such as home and email addresses and telephone numbers.
Medibank CEO David Koczkar said the company believed the ransom payments would only offer a “limited chance” of keeping customer health data off the dark web, and that the payments would encourage attackers to persist in their criminal enterprises. Medibank has warned customers that this means their health data can be made available to anyone via the dark web, and the data can be used by criminals to contact them with scam attempts.
The attack on Medibank unfolded over a period of around a month and a half during which major Australian companies were heavily targeted, and a number of successful breaches produced massive amounts of sensitive data. Other companies that have lost millions of records to attacks during this period include telecommunications giant Optus and retailer Woolworths; a number of other companies lost tens to hundreds of thousands of records during this wave of criminal activity.
The attackers who demanded ransoms from Medibank are believed to have ties to the now defunct REvil gang, which was at the top of the ransomware world in 2021. Some members of the gang were arrested as security forces International forces were coordinating to neutralize the group, but others are believed to have fled to launch their own new operations using similar tools and tactics.
Hackers had initially threatened to be selective in their release of health data if ransom payments were not made, and they appear to be keeping that promise. Security researchers note that the first trickle of files includes high-profile politicians, as well as files from seemingly more obscure victims who are coded with a diagnosis of drug or alcohol abuse. The group seems to think that a trickle of some of the most potentially embarrassing or sensitive information will cause Medibank to reconsider its stance on ransom payments. His next big threat is to delete the health data of patients who have abortions.
The group also claims they stole encrypted credit card numbers during the raid and leaked them along with keys to decrypt them. Medibank disputes this, saying it sees no evidence of access to financial information. Attackers have already started selling access to recordings on a piecemeal basis, charging $1 for access to a recording. Australian police have warned that downloading the data samples could be considered an offense and lead to charges.
Failure to protect sensitive health data could result in fines and class action lawsuits
Medibank’s decision not to pay could become the law of the land as the Home Office is now considering the possibility of banning ransom payments to stem the growing problem. Minister Clare O’Neil voiced support for Medibank’s decision and said the department would consider a ban as a “long-term” possibility.
There is no commitment at this stage beyond ‘peeking a peek’, but if Australia were to make that move, it would be virtually alone among its Five Eyes intelligence partners. Some US states have banned government agencies from making payments, but the country as a whole appears to be committed to allowing private sector ransom payments in the interest of giving struggling businesses that are caught off guard a chance to avoid financial ruin.
Rebecca Moody, head of data research at Comparitech, says global trends are actually moving away from ransom payments, at least according to what companies are willing to publicly admit: “According to data collected through our Worldwide Ransomware Tracker , just under 18% of ransom demands have been paid (when companies confirm whether they have paid or not.) However, companies are much more likely to confirm they have not paid than if they have as much the impression of admitting that paying ransoms exposes them to future attacks.
Medibank is offering affected customers a “Cyber Response Assistance Package” that includes fee reimbursement if a customer chooses to replace a government ID because it appeared in stolen health data. The company also offers a form of “hardship support” as well as identity protection resources and guidance.