Australia's Data Breach Debacle ExpandsMedibank Extortionists Prove Their Hack and Vinomofo Data Turns Up on Forum
Australia's data breach debacle expanded on Thursday. Cyber extortionists who attacked Australian health insurer Medibank provided proof of their hack of medical data. Also, stolen data from Australian wine retailer Vinomofo was put up for sale on a Russian-language forum.
Medibank revealed on Thursday the worst-case scenario: It says ransomware/extortionists have provided proof of their hack with 100 insurance policies that contain claims data, medical services and codes related to diagnoses and procedures plus basic biographical data.
Medibank says it believes the data came from its ahm and international student systems. The cybercriminals also claim to have taken credit card data as part of a 200-gigabyte haul. The Sydney Morning Herald managed to get a copy of the ransom note on Wednesday, which threatened to send 1,000 prominent people their own medical data.
Claire O'Neil, Australia's no-nonsense Minister for Cyber Security and Home Affairs, called the attack against Medibank "dog act," an Australian English phrase meaning something particularly treacherous or unacceptable.
“Financial crime is a terrible thing but ultimately a credit card can be replaced, the threat that is being made here to make the private personal health information of Australians available to the public is a dog act," O'Neil said Thursday.
What happened at Medibank is a horrendous criminal act. That’s why our toughest and smartest are already working to prevent harm to Australians. pic.twitter.com/1rglpV53Iy— Clare O'Neil MP (@ClareONeilMP) October 20, 2022
We don't know how much the group is attempting to extort Medibank for. Medibank is now in an unenviable position, faced with either paying a ransom or seeing its data published on the web or sold to others.
The credit card data is the least of our worries. Medical codes related to diagnoses and procedures have to be among the most sensitive information about a person. Leaking them is horrible. Paying a ransom doesn't mean this data becomes secure.
Medibank has been remarkably transparent since it announced the incident on Oct. 13, giving frequent updates. On Monday, Medibank said that its investigation had turned up no evidence that data had been taken. The problem with transparency, though, is the situation could turn.
It shouldn't reflect poorly on Medibank that its initial conclusion may have been off about this incident. Since the massive data breach at telecommunications company Optus, there's a real thirst for transparency around data breaches, so we as the public should praise that but accept that situations may suddenly change (see: Optus Attacker Halts AU$1.5 Million Extortion Attempt).
Vinomofo Goes Silent About Customer Privacy
In other bad news Thursday, Aussie wine retailer Vinomofo's data appeared for sale Wednesday on a Russian-language cybercrime forum. The data appears to have been sold.
An advert says the database has 700,000 users and is 17 gigabytes. Many sample email addresses are in fact in Vinomofo's systems, so the sample appears legitimate. At least the password hashes are bcrypt with a work factor of 10. That’s not ideal but the situation could be worse, such as SHA-1 or MD5 hashes, says data breach expert Troy Hunt, who created the Have I Been Pwned data breach notification service.
A source passed me an email they received from Vinomofo after they directly questioned its use of production data in a test environment, a big no-no. Vinomofo wrote that it was "in line with industry practice." And that wasn't the only jarring part of the email.
Vinomofo continued by writing that it's not going to release more information about the incident "in the interests of the privacy of our customers and partners." That's not thinking about the interests of those people. Their privacy has already been compromised. That's in Vinomofo's interest.
And after today's wild data breach news, I need a drink.
Keep in mind that between Optus, Medibank, Vinomofo and another breach of an online retailer called MyDeal, which is owned by Australia's largest grocer, Woolworths Group, there are at least 13 million people in Australia who've been affected by a breach in the last month. And we don't know yet how many Medibank policyholders are affected.
That's astounding considering the Australian population is around 25 million. And it's a sign that maybe in 2022 we've finally reached a turning point in how we hold companies accountable for securing our personal data.