Medibank, which covers one-sixth of Australians, said an unidentified person showed the company stolen personal information of 100 customers, including medical diagnoses and procedures, as part of a theft of 200 gigabytes of data, first disclosed by the company a week earlier.
The company did not say how many of its 4 million customers were likely to have been affected but warned the number was likely to rise. The Australian Federal Police said they had opened an investigation into the breach, without commenting further.
The disclosure adds a new layer of angst to a wave of cyber attacks on Australia’s biggest firms since No. 2 telco Optus, owned by Singapore Telecommunications Ltd, revealed a month ago that data of up to 10 million customers may have been stolen.
Until now, most public commentary has focused on the risk that hackers would use stolen data to access bank accounts.
The Sydney Morning Herald reported that it obtained a message from a person claiming to be the Medibank hacker threatening to publish medical records of high-profile individuals unless the person were paid.
“What we have here is … healthcare information and that just on its own being made public can cause immense harm to Australians and that’s why we are so engaged with this,” Cybersecurity Minister Clare O’Neill told the Australian Broadcasting Corp.
Discover the stories of your interest
Big target
Cybersecurity experts said it was unclear whether the data breach disclosures were related, given the varied nature of the attacks, but the publicity generated by the Optus attack may have drawn attention in hacker networks.
“When you do have a highly visible breach like Optus in Australia out there, hackers take notice of that and go ‘maybe I’ll have a go down there and see what I can get away with,'” said Jeremy Kirk, executive editor at Information Security Media Group, a cybersecurity specialist publication.
Larger Optus rival Telstra Corp Ltd has disclosed a small breach of employee data, while No. 1 grocery chain Woolworths Group Ltd said an unidentified party gained unauthorised access to the customer database of a bargain website used by 2.2 million shoppers.
The high-profile data breaches show the importance of multi-factor authentication – where a person uses a code sent to a separate device to log in – at every level of a company’s network, said Sanjay Jha, chief scientist for the University of New South Wales Institute for Cybersecurity.
“Maybe for end users they have done it, but for internal servers they should have even more stringent control,” Jha told Reuters by phone.
“You need continuous authentication so that people don’t log in and leave it forever, and then attackers can compromise your system,” he added.
Dan Woods, a former FBI cyberterrorism investigator who is now head of intelligence at cybersecurity firm F5, said Australia had “undoubtedly experienced its worst few weeks from a cybercrime perspective, but on the positive side it’s been a wake-up call the country may have needed”.