Medibank has confirmed that the cyber hackers behind the breach that targeted its customers' information have gotten hold of around 4 million customer data, including health claims.
The Australian insurance firm announces that an internal investigation shows that the threat actors had greater access to members' information than initially thought, Bleeping Computer says.
The Investigation Reveals That Pertinent Customer Information Has Been Accessed
Medibank, Australia's biggest health insurer, confirms that a cyber attack has put the personal data of nearly 4 million customers at risk.
Through investigation, the company found that the hackers have now accessed all of Medibank's data, including allied health medical students' and international students' personal data.
This personal information includes names, addresses, birth dates, medical card numbers, and gender information, along with health claims made by customers.
According to ABC, the health insurance company has yet to determine what the hackers might use the data stolen for, but they expect the number of affected customers to grow substantially.
Because Medibank is legally required to hold on to old customers' information, former clients' data could be compromised as well.
To make up for its members, The Guardian writes that Medibank will be provided with a financial support package as a reimbursement for the hack that compromised their data.
The hack caused a major financial blow that could cost Medibank a minimum of $25 to $35 million AUD because it did not have cyber attack insurance.
This does not include the compensation for customers that the company aims to give customers or the possible regulatory or legal fines that may be brought against Medibank.
John Goodall, the head of technology and operations for Medibank, tells The Guardian that the company has deployed monitoring tools on its networks, suggesting that the hackers have left the system.
Furthermore, the company is already in communications with hackers as well who obtained their credentials from another hacker on a Russian forum for cybercriminals.
However, the company declined to say what Medibank and the hackers have spoken about, like whether they would be required to pay any ransom demands.
Read More: Optus Confirms Data Breach; 2.1 Million Government ID Numbers are Exposed
Cybersecurity Experts Calls On Medibank To Protect Customers' Data
Following the series of high-profile data breaches that targeted large Australian firms, cybersecurity experts raised concerns on the dangers of information extortion.
Professor Richard Buckland from the University of South Wales tells ABC that experts are worried that the medical records that contain sensitive information might be revealed.
He adds that this will cause a lot of stress for the members, which could cause more Australians to distrust anyone with their data due to these large-scale hacks.
"It'd be lovely to see some legislation preventing people from collecting the data and forcing anyone that has collected data to delete it," Professor Buckland says.
Following this, Bleeping Computer reports that a proposal for a law has already been [published by the Australian Government for the Privacy Legislation Amendment Bill of 2022.
This bill increases the privacy breach penalties from $2.22 million to $50 million AUD, or thrice the value of any item obtained through illegal activities.
It also gives the Australian Information Commissioner great power to resolve these breaches by forcing companies to share their details with the agency.
Related Article: Data Breach Hits MyDeal, Impacts 2.2M Users