A group of hackers began leaking medical data stolen from an Australian insurer on Wednesday that refused to pay a ransom, including a list of people with HIV or drug problems.
Medibank, one of Australia’s leading insurers, told its investors and customers that a “sample” of data from about 9.7 million people had been posted on “a hidden web forum”.
The information stolen includes names, dates of birth, addresses, passport numbers or medical claims details, in two lists, “good” and “bad”.
“Bad” consists of numerical codes associated with drug use, alcohol abuse or HIV infection.
Medibank has already warned that it expects more leaks.
The company had refused to pay the amount sought by the hackers to stop the leak, saying it would encourage criminality and would not guarantee that the information would be secure.
Medibank is one of Australia’s largest private insurance companies and the leak is likely to affect some of the country’s most influential and wealthy.
Prime Minister Anthony Albanese claimed he is a customer of the insurer and called the attack “a wake-up call” for Australian businesses.
– A possible link to Russia –
The leaked data was posted on a hidden web forum known as the “darknet”, which cannot be accessed using traditional browsers.
“We will continue to publish the data”, the hackers would have written ahead of publication.
Those responsible have not yet been identified, but Australian Federal Police Commissioner Justin Gough speculated that the leak was the work of “a criminal group or criminal group” that may have operated from overseas.
Sanjay Jha, head of science at the Institute of Cyber Security at the University of New South Wales, said it was difficult to attribute the attack to a specific group.
However, he told AFP there were some indications that the attack was linked to a Russian hacker group called Revil.
“The pattern partly matches their behavior. That is why there are some serious indications that they may be selling data,” Jha said.
This security loophole has already cost the market valuation of Medibank hundreds of millions of dollars, whose shares have fallen 20% since October, when the leaks were reported.
Medibank is facing a potentially costly class action lawsuit.
On Tuesday, the two law firms announced they would work together to determine whether Medibank has failed to meet its obligations to protect the privacy of its customers, as required by Australian law.