The Australian Federal Police (AFP) claims to have identified the group responsible for the Medibank cyber-attack and subsequent data leaks to the dark web, and is promising the suspects will face the full force of the law.
But this is cold comfort for thousands innocent victims, many of whom continue to be threatened with the disclosure of their medical records if they refuse to pay a hefty ransom.
The story so far
In September this year, hackers threatened to release the personal data of Medibank customers unless their ransom demands are met.
The extortion demand has the potential to expose up to 3.9 million Australians to the possibility of fraud and identity theft, and those who claimed responsibility threatened to release the data of 1000 of the health insurance provider’s ‘most prominent customers’ as a ‘warning shot’ if they did not get what they want.
“[W]e’ve found people with very interesting diagnoses. And we’ll email them their information”, the hackers are reported to have stated.
Since that time, the breach and threat have impacted thousands, concerned the confidential information uploaded to their insurer’s site would be made public without their authorisation.
The extortion attempt has led to stress and anxiety, and in the context of numerous data breaches of large organisations over the past few months, led many to question whether companies and indeed government agencies should be allowed to have personal and sensitive information placed on servers which can easily be cracked by cyber-criminals.
Ransom not paid
On the advice from authorities, Medibank did not succumb to ransom demands made of the insurer – reported to be USD$10 million, or about AUD$15 million – for the safe return of the data.
That decision, while potentially dissuading other hackers from engaging in similar conduct, has cost 9.2 million Australian an incredible amount of distress because ultimately, they’re innocent victims, completely powerless to do anything to stop the damage.
Shifting the blame
Medibank was indeed placed in an extremely position, with CEO David Koczkar spending the past few weeks apologising to customers and calling the actions of the group responsible, “deplorable”.
That said, many are asking questions about how the breach occurred, whether systems put in place by the company were sufficient and whether we should be allowing companies to store our personal information in servers that can be breached.
Indeed, it’s all very well for heads of companies and government agencies to assert that cyber criminals are getting smarter and their scams more sophisticated, but all of us rely on the law for protection, and in this instance it has completely failed Australians, something that became obvious when Optus suffered a data leak, but has only been exacerbated by the fallout from the Medibank cyber attack.
AFP claims a win
Meanwhile, the AFP is talking up its “significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system”.
But whatever the agency says, hackers appear free to continue to release information from the Medibank breach, and the full repercussions for victims are not yet known.
In fact, hackers seem to be breaching data held by Australian organisations with increasing frequency and ease.
Long lasting repercussions
While Medibank has been somewhat guarded with the details of the breach, it has confirmed the hacker have, at the very least, information that includes: a list of Medibank employees, with their full names, email addresses, mobile phones, as well as some home Wifi details (which can be used to find a person’s home address). Personally identifiable information, including what appear to be passport numbers or drivers licence numbers.
Even this information can be used in a number of ways — the most obvious being identity faud, scams and blackmail.
With such a high level of detail at their disposal, cyber criminals could easily commit identity theft, and very believable phishing scams. Crimes that could be perpetuated over the coming months or even years.
For Medibank customers, there is a long road ahead – replacing documents and securing online accounts, yet the threat of having data made public, or being the victim of a further crime lingers.
The AFP believes, at this point in time, that a group of “loosely affiliated cybercriminals” – but it has stopped short of naming names.
The likelihood of bringing cyber criminals to justice
Cyber crime experts believe the individuals responsible may belong to, or have close links to, the Russian-based ransomware crime group, REvil which appeared in 2019, and was particularly active in 2021, but since then appeared to stop all activity.
The truth is cyber criminals are not easy to detect, harder still to actually catch. The AFP is now calling on Russian authorities to assist with its investigations – how likely and forthcoming cooperation will be is not certain, given Russia’s current preoccupation with war, and the global condemnation it has received for its attack on Ukraine.
Unfortunately, at this point in time, cyber crime experts say that the reality is it will be virtually impossible for the AFP to bring these criminals to justice.
The repercussions for Mediabnk are likely to be severe though. Optus is the target of several investigations over the data breach which affected millions of its customers in September 2022, and at least two law firms are investigating the possibility of a class action against the Telco.
By comparison the Medibank data breach has been much more severe. Two law firms are already calling for people to register for a class action against Medibank based on breaches of the Privacy Act.