You have
Register for a free account to access unlimited free content.
accountants daily logo

Hackers post sensitive Medibank data


UPDATED: Information on drug addiction and HIV results expose around 100 customers on the dark web.

By Josh Needs 11 minute read

Russian hackers who stole the personal details of almost 10 million Medibank clients have begun publishing sensitive information on the dark web.

Data on Medibank customers with drug addictions or positive HIV results has been loaded into an unencrypted file on the dark web that can be downloaded by anyone.

It contains information on around 100 patients who have been treated for drug use, alcohol abuse, or opioid dependence. A separate “good list” reveals health information on a further 100 Medibank customers treated for ailments from cataracts to colitis.

The hacker group, known as REvil, began posting information after the health insurer ruled out paying a ransom for the stolen data. 

“Looking back that data is not very understandable format (table dumps) we’ll take some time to sort it out and we posting a small part of the data, in ‘human readable format (sample in json)’ also we post all raw data,” said the REvil post. 

“We’ll continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi files system from different host.” 

Medibank said the data that was being leaked included names, addresses, dates of birth, phone numbers, email addresses, some health claims data, and passport numbers for some international students.

The most recent communication from the cyber criminals included a quote from Confucius along with the Mario meme as seen below. 

“A man who has committed a mistake and doesn’t correct it is committing another mistake - Confucius,” read the demand. 

“Data will be published in 24 hours.” 

“PS. I recommend you sell Medibank stocks.” 


Although his information was not a part of the revealed data, Prime Minister Anthony Albanese confirmed that he was a Medibank Private customer but said the insurer had done the right thing by not paying the ransom. 

“This is really tough for people. I am a Medibank Private customer as well, and it will be of concern that some of this information has been put out there,” he said. 

“Can I say this, though. The company has followed the guidelines effectively. The advice is to not engage in a ransom payment. If you go down this road, then you end up with more difficulties potentially across a wider range.”

Greens senator David Shoebridge also revealed he was a Medibank Private customer and was informed his personal data was released on the dark web. 

“Like millions of other Australians, my family was caught up in the Medibank breach and today we’re learning our personal data is on the dark web. Our worst data breach nightmares are playing out in real time as our existing laws and data protection systems are no match for hackers,” Mr Shoebridge tweeted. 

“The safest data is that which isn’t collected in the first place — a data heist of this magnitude is only possible because companies and govts are harvesting our data and refusing to appropriately secure it.” 

On Monday Medibank told the ASX that it refused to pay the ransom because it did not think it would prevent its customers’ data from being published or sold. 

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” said Medibank CEO David Koczkar. 

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a stronger chance that puts more people in harm’s way by making Australia a bigger target.”

In light of the recent hacks, businesses should be using encrypted databases, according to Dr Xingliang Yuan of Monash University’s Department of Software Systems and Cyber Security. 

“Businesses should be adopting encrypted databases which can store, query, and process the data in an encrypted form directly,” said Dr Yuan. 

“Only trusted parties like the data owners can decrypt data in such systems and they can reduce the attack surface at the server level.”

“Companies are not doing enough for data security. More significant investment is needed to ensure data protection at the business level.” 

Investigators with AFP’s Cyber Command are working with both public and private sector agencies to identify those buying, or selling, stolen personal identification information. 

Operation Guardian, which was a joint initiative with state and territory police set up last month to protect those impacted by the Optus data leak, will now also extend to Medibank Private customers. 

The public is encouraged to look out for any suspicious or unexpected activity across their online accounts, to not click any links in any email claiming to be Medibank Private, hang up on calls claiming to be from Medibank Private, the police, a bank, or another organisation that offers to help with the data breach, and never give access to your computer to someone who calls posing as a credible organisation. 


You need to be a member to post comments. Become a member for free today!
Josh Needs

Josh Needs


Josh Needs is a journalist at Accountants Daily and SMSF Adviser, which are the leading sources of news, strategy, and educational content for professionals in the accounting and SMSF sectors.

Josh studied journalism at the University of NSW and previously wrote news, feature articles and video reviews for Unsealed 4x4, a specialist offroad motoring website. Since joining the Momentum Media Team in 2022, Josh has written for Accountants Daily and SMSF Adviser.

You can email Josh on: This email address is being protected from spambots. You need JavaScript enabled to view it.

You are not authorised to post comments.

Comments will undergo moderation before they get published.

accountants daily logo Newsletter

Receive breaking news directly to your inbox each day.