CANBERRA, Australia (AP) 鈥 A cybercriminal was holding for ransom an Australian health insurer鈥檚 customer data including diagnoses and treatments, in the nation鈥檚 second major privacy breach in a month, officials said on Thursday.
Trade in Medibank shares has been halted on the Australian Securities Exchange since Wednesday when police were alerted that the company had been contacted by what it described as a 鈥渃riminal鈥 who wanted to negotiate over the stolen personal data of customers.
Medibank, which has 3.7 million customers, said on Thursday the criminal had provided a sample of 100 customer policies from a purported haul of 200 gigabytes of stolen data.
Details included customer names, addresses, birth dates, national health care identification numbers and phone numbers.
Cybersecurity Minister Clare O鈥橬eil said most concerning was that records of medical diagnoses and procedures had also been stolen.
鈥淔inancial crime is a terrible thing. But ultimately, a credit card can be replaced,鈥 O鈥橬eil told reporters.
鈥淭he threat that is being made here to make the private, personal health information of Australians made available to the public is a dog act,鈥 she added.
The thief had threatened to sell Medibank data to third parties and singled out records of 1,000 politicians, media personalities, actors, LGBTQ activists and drug addicts for exposure, Nine Network News reported.
鈥淲e found people with very interesting diagnoses,鈥 the thief reportedly wrote to Medibank.
Medibank declined to comment on the reported threats and would not release details beyond its statement to the Australian Securities Exchange.
The Medibank breach came a month after a cyberattack stole from telecommunications company Optus the personal data of 9.8 million customers.
The Optus breach, which compromised the personal data of more than one-third of Australia鈥檚 population, prompted the government to propose urgent reforms to privacy laws that would increase penalties for companies that fail to protect customers鈥 data and limit the quantity of data that can be retained.
O鈥橬eil said cybercrime was a growing problem around the world and that Australia needed to be better prepared.
鈥淲e are going to be under relentless cyberattack essentially from here on in, and what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organizations to protect customer data and also for citizens to be doing everything that they can,鈥 O鈥橬eil said.
鈥淐ombined with Optus, this is a huge wake-up call for the country and certainly gives the government a really clear mandate to do some things that frankly probably should have been done five years ago, but I think are still very crucially important,鈥 she added, referring to privacy law reforms that the government hopes to pass through Parliament this year.
O鈥橬eil described the Medibank breach as a 鈥渞ansomware attack,鈥 which the government defines as an attack with malware that locks or encrypts files so that the owner can no longer access them.
O'Neil's office later said she misspoke and meant that the culprit had demanded ransom.
Medibank said its systems had not been encrypted by ransomware and its usual customer activities continued.
Medibank chief executive David Koczkar said his company was working with specialized cybersecurity firms as well as police and government experts in response to the breach.
鈥淚 unreservedly apologise for this crime which has been perpetrated against our customers, our people and the broader community,鈥 Koczkar said in a statement.
鈥淚 know that many will be disappointed with Medibank and I acknowledge that disappointment,鈥 he added.
Rod Mcguirk, The Associated Press