Medibank hack: messages hackers sent to private health boss as private data sold on dark web

Medibank and Russian hackers spent weeks discussing threats to leak the private information of millions of Australians to the dark web before the cybercriminals pulled the trigger. 

Hackers began leaking Medibank customers’ personal information, including details relating to people who are HIV-positive, have drug addiction issues and mental health diagnoses on Wednesday.

Whatsapp messages between the clandestine group and CEO David Koczkar were also released. 

The messages and emails published by the hackers, known as Blogxx and REvil, revealed how Medibank bosses stalled as they tried to work out what data was at risk and who had it.

Medibank tried to trick Russian hackers into showing their hand and revealing what information they really had as they tried to determine the risk, before refusing to pay any ransom

Pictured is a message purportedly sent from Medibank to the hackers that stole its data

Medibank’s response to Russian hackers saying it would not pay the ransom is pictured

Medibank reported a ‘cyber incident’ on October 13 and took the data and policy systems of its budget provider, AHM, and its international student division offline. 

The hacker group made the first move, directly contacting Mr Koczkar, on WhatsApp on October 18, The Australian reported.

‘Hi! As your team is quite shy, we decided to make the first step in our negotiation,’ the message said.

The hackers outlined their plans to sell Medibank’s database to ‘third parties’ in their opening salvo.

It identified a selection of Medibank customers it had put on a ‘naughty list’ including ‘[people with] most followers, politicians, LGBT activist, drug addictive people etc’.

Medibank representatives tried repeatedly to get the hackers to show their hand to determine the risk.

The hackers had demanded a ransom to stop them from releasing the data, but Medibank earlier this week said it would not pay it (stock image)

More than 100 Medibank patients battling addiction had their information leaked on a ‘naught-list’ file. The leak included their names, addresses and birth dates

‘We need to be sure you’re the person who says they have our data [so] can you tell us all the addresses and phone numbers you sent messages to?’

The hackers responded ‘Ok we wait’. 

Medibank tried again, saying ‘Please tell us phone numbers and emails you used, so we know which ones are really you.’ 

The hackers sent a full listing of stolen files, to which Medibank replied: ”We need time to review, we will get back to you’.

The company then disclosed to the Australian stock exchange that hackers had contacted it to ‘negotiate’ over 200 gigabytes of customer data stolen from Medibank’s systems.

That drew a sinister response from the hackers, who said: ‘Judging by your public statements, you are not in the mood for negotiations’.

On October 25 they gave the company ‘one day’ to pay a ransom before promising to ‘do everything in our power to inflict as much damage as possible for you, both financial and reputational’.

The private data of Medibank customers battling alcohol and drug addiction was leaked by hackers onto the dark web on Wednesday morning (stock image)

Pictured is important advice for people affected by the Medibank and AHM data hacks

Negotiations broke down on November 2, before Medibank outright refused to pay a ransom three days later.

On Wednesday, November 10, hackers began leaking the private data of selected Medibank customers.

The cyber attack was launched on Australia’s largest private health insurer last month, putting the sensitive personal information of its 9.7million current and former customers at risk.

The group posted the ‘naughty-list’ file on the dark web Wednesday morning that contained more than 100 patients who have been treated for alcohol abuse, cannabis, cocaine or opioid addiction, HIV and mental health issues.

That data on the naughty list also included patient names, personal addresses, birth dates and health insurance details.

A ‘good-list’ was also published on the dark web that featured the same private information of other Medibank customers. 

Wednesday’s data dump contained the personal information of 198 patients in total.

The hackers posted a bizarre meme (pictured) before they threatened to release the personal data of millions of Australians unless Medibank paid up, which it didn’t

Medibank has promised to tell customers what info it believes has been stolen and posted on the dark web and to give advice on what to do if you have been compromised. 

‘The files appear to be a sample of the data that we earlier determined was accessed by the criminal,’ the company said on Wednesday.

The hackers are expected  to continue leaking the private information of more Medibank customers over the coming days.

Prime Minister Anthony Albanese said government security agencies are working with Medibank following the latest leak. 

He is one of the customers affected by the leak. 

‘The company has followed the guidelines effectively, the advice, which is to not engage in a ransom payment,’ Mr Albanese said.

Prime Minister Anthony Albanese (pictured), who is one of the customers affected by the leak, said government security agencies were working with the health insurer

Former tennis champion and Channel 9 broadcaster Todd Woodbridge is one of those who have been targeted.

The 51-year-old, who suffered a mild heart attack last month, got five calls in a row from the same number yesterday.

‘They ended up leaving me a message and the message was that I had bills to pay from the hospital stay that I had,’ he told Heidi Murphy on 3AW. 

‘They knew the hospital that I had stayed in and they wanted me to ring back and give me an account number and wanted me to pay over the phone.’

The Australian Federal Police has expanded its joint initiative with state and territory police set up to investigate September’s Optus data breach to also target the Medibank hack.

‘Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,’ AFP Assistant Commissioner Cyber Command Justine Gough said.

‘This is not just an attack on an Australian business. 

‘Law enforcement agencies across the globe know this a crime type that is borderless and requires evidence and capabilities to be shared.’

Medibank apologised again to clients past and present. It advised customers to be alert for any phishing scams via phone, post or email.