Medibank Private Ltd, which covers one-sixth of all Australians, said an anonymous individual showed the firm had stolen the personal information of 100 clients, including medical diagnoses and procedures, as part of the theft of 200 terabytes of data the company originally notified a week earlier.
The business did not specify how many of its 4 million clients were affected but cautioned that the figure was expected to climb. The Australian Federal Police stated they have launched an inquiry into the incident but did not elaborate.
The revelation adds to the anxiety surrounding a spate of cyber assaults on Australia’s largest companies since Optus, owned by Singapore Telecommunications Ltd, warned a month ago that data from up to 10 million users may have been taken.
So far, most public discussion has centered on the possibility that hackers might exploit stolen data to gain access to bank accounts. According to the Sydney Morning Herald, a communication from a person purporting to be the Medibank hacker threatened to reveal medical details of high-profile persons unless the person was paid.
“What we have here is… healthcare information, and simply making it public may do great harm to Australians, which is why we are so involved with this,” Cybersecurity Minister Clare O’Neill told the Australian Broadcasting Corporation.
Big Target Cybersecurity experts said it was unclear whether the data breach revelations were connected, given the different nature of the breaches. However, the Optus intrusion may have sparked interest in hacker networks.
“When you have a very publicized breach out there, like Optus in Australia,” said Jeremy Kirk, executive editor at Information Security Media Group, a cybersecurity specialised newspaper.
Telstra Corp Ltd, a larger Optus rival, acknowledged a minor compromise of employee data. At the same time, Woolworths Group Ltd claimed an unknown entity obtained unauthorized access to the user information of a discount website used by 2.2 million shoppers.
According to Sanjay Jha, the head scientist at the University of New South Wales Institute for Cybersecurity, the high-profile data breaches highlight the significance of multi-factor authentication – where a person uses a code given to a different device to log in – at every level of a company’s network.
“They may have done it for end users, but for internal systems, they should have even more severe control,” Jha told Reuters via phone.
“You need ongoing authentication so users don’t log in and leave forever, which allows attackers to exploit your system,” he continued.
Former FBI cyberterrorism investigator Dan Woods, now the chief of intelligence at cybersecurity firm F5, said Australia has “undoubtedly had its worst few weeks in terms of cybercrime, but on the plus side, it’s been a wake-up call the country may have needed.”