Leaked emails between Russian hackers and Medibank have revealed how the insurance giant negotiated behind the scenes for two weeks before ultimately refusing a $15 million ransom demand.
Screenshots of the messages, which were posted to Reddit on Thursday, were reportedly contained in the full 6.5 gigabyte data leak uploaded to the dark web by the hackers as they declared “case closed”.
Medibank first disclosed it had been hit by a “cyber incident” in October, and less than a week later revealed it had been contacted by a hacking group claiming to have stolen sensitive customer data.
The Medibank data breach involves highly personal information of millions of customers including names, dates of birth, phone numbers, email addresses, some Medicare and passport numbers and in some cases sensitive health care information, including codes associated with diagnosis and medical procedures.
In an email dated October 19, a Medibank representative using a Protonmail email account wrote, “Hello. We received your message. We want to talk with you, but need to be sure you’re the person who says they have our data. Can you tell us the addresses and phone numbers you sent messages to?”
Subsequent messages show negotiations between the hacker, going by the handle “johnkramerrrr”, and the Medibank representative over how they will communicate, discussing WhatsApp and qTox, and encrypted chat program, before agreeing to continue speaking via Protonmail.
The Medibank representative then asked the hacker to “please send us a full file listing” so they can ”confirm what data you have”.
The hacker replied with the requested files, detailing how they carried out the breach.
“We accessed Redshift on jump servers,” they wrote.
“And download the data in csv files with our application. Then we uploaded the data to our server. Guided by the source code and documentation from Confluence, we linked the data and made selections.
“Here is the listing of the files: csv(data from redshift), confluence, stash (source code). Based on confluence we’ve accessed all 7 layers including RedShift and Glue using a workbench.
“We’ll spend about a month to figure out in your system and dump a tables with PII data.”
Medibank replied, “Received. We need some time to review. We will get back to you.”
Two days later, after several messages back and forth, the hackers said they had run out of patience.
“Judging by your public statements, you are not in the mood for negotiations and we have nothing to do but start posting data and also inform users that their data has been compromised and this is purely the fault of your company,” they wrote.
“In addition to informing, we will also drop the link to a public source where the data is published so that it would be easier for them to form a lawsuit, we will regularly post data every day and support the news feed. We will also get a secondary benefit from posting data in the form of hype about our affiliate program.”
They added, “But we are also ready to give you a day to think about how you should be better. And we advise you to proceed to the discussion of the price of demand.
“In the event of a negative outcome of the negotiations for us, we will do everything in our power to inflict as much damage as possible to you, both financial and reputational.”
Medibank replied that it was required under Australian law to keep customers and investors informed.
“We still want to work with you to protect our customers data,” the representative wrote. “We don’t know who you are, which makes it very hard to trust you.”
The hackers continued to haggle, promising to permanently delete the data after payment.
“We will send you a file deletion report, and we will bring you some security advice on how to protect your network,” they wrote.
“We are interested in getting money, not destroying your company.”
Medibank insisted it still needed more time.
“Our team needs to validate where those files came from,” the representative wrote. “Our network is very large and complex, as you have seen!”
On October 28, the hackers accused Medibank of trying to “slow down the negotiations”, giving a deadline of five days.
“We’re sorry it’s taking us time,” Medibank wrote on November 2. “We’re under huge pressure from many sides.”
The hackers replied, “Based on our previous experience in negotiation with our victims, looks like our negotiations going to the dead end.”
After a several more messages back and forth, Medibank finally wrote, “After considering all options, we have made a decision that we cannot pay your demand. It is also Australian government policy that ransoms should not be paid. We understand the impact this may have.”
In response to questions on Friday, Medibank said it could not comment on “any communications with the threat actor” due to the ongoing police investigation.
On Thursday, Medibank confirmed the stolen customer data, believed to be the entire hack, had been released on the dark web overnight.
“We are in the process of analysing the data, but the data released appears to be the data we believed the criminal stole,” Medibank said in a statement.
“Unfortunately, we expected the criminal to continue to release files on the dark web.
“While our investigation continues there are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identify and financial fraud.”
The dump consisted of six zipped files in a folder called “full”, containing the raw data.
Medibank said much of the data was “incomplete and hard to understand”.
“For example, health claims data released today has not been joined with customer name and contact details,” it said.
Medibank chief executive David Koczkar said the company was “remaining vigilant and are doing everything we can to ensure our customers are supported”.
“It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said. “We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program.
“This includes mental health and wellbeing support, identity protection and financial hardship measures. If customers are concerned, they should reach out for support from our cybercrime hotline, our mental health support line, Beyond Blue, Lifeline or their GP.”
He warned that anyone who downloaded the data was committing a crime.
“The Australian Federal Police have said law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offences using stolen Medibank customer data,” he said.
“We continue to work closely with the Australian Federal Police who are focused, as part of Operation Guardian, on preventing the criminal misuse of this data.”
Mr Koczkar added, “Again, I unreservedly apologise to our customers. We remain committed to fully and transparently communicating with customers and we will continue to contact customers whose data has been released on the dark web.”
Meanwhile, the Office of the Australian Information Commissioner (OAIC) has launched an investigation into Medibank’s handling of personal information, after a representative complaint lodged by law firm Maurice Blackburn.
The OAIC has the power to order Medibank pay compensation to affected customers.
“The disclosure of personal information, particularly the nature of the information held by Medibank, has caused millions of Australians significant distress,” Maurice Blackburn principal lawyer Andrew Watson said in a statement.
“The right to privacy is a fundamental human right, and the representative complaint to the Australian Information Commissioner offers an avenue of redress to the millions affected by this incident.
“We cannot undo the damage that has been caused in this data breach, but we can ask the Commissioner to investigate the data breach and seek compensation from Medibank on behalf of those affected, including for financial or non-financial loss, such as humiliation, stress, and feelings of anxiety.”
Medibank said on Thursday that it was not aware of such a complaint lodged by Maurice Blackburn, but confirmed the OAIC had launched an investigation.
“Medibank will continue to co-operate with the OAIC and its investigation,” Medibank said.