Medibank reported the breach on October 13 and the Russian ransomware group has been releasing customer information in a staged manner on the dark web since early November.
“Happy Cyber Security Day!!! Added folder full. Case closed,” the hackers posted on Wednesday night.
But unlike previous data dumps they did not provide active file names or links. Earlier links are also inactive. As well, the hackers’ blog had been inactive since November 20.
In a statement, a Medibank spokeswoman said the company was aware of the data release and was analysing the information.
“Unfortunately, we expected the criminal to continue to release files on the dark web,” the spokeswoman said.
“There are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identify and financial fraud
“The raw data we have analysed today so far is incomplete and hard to understand.”
Medibank chief executive David Koczkar said investigations were continuing.
“We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said.
“We will continue to support all people who have been impacted by this crime through our cyber response support program. This includes mental health and wellbeing support, identity protection and financial hardship measures.”
Some 9.7 million current and former customers were affected by the Medibank hack.
In October, the hackers demanded a $US1 per customer ransom, which Medibank declined to pay.
Government Services Minister Bill Shorten said it was shocking.
“The people who’ve hacked Medibank are absolute criminal lowlife,” he told ABC Radio on Thursday.
“If people think that any government ID has been in any way breached or they’re aware of it, contact us.
“There’s no particular comfort that you can give people, but when it’s to do with a government services area, we will red flag anyone we see whose information has been hacked … if anyone tries to use that ID.”
The latest data breach coincides with law firm Maurice Blackburn launching a compensation claim against the health insurance over the hack.
The firm has lodged a formal complaint with the Office of the Australian Information Commissioner, which could order Medibank to pay money to customers affected.
Principal lawyer Andrew Watson said the hack had caused significant distress tio customers.
“The right to privacy is a fundamental human right, and the representative complaint to the Australian Information Commissioner offers an avenue of redress to the millions affected by this incident,” he said.
“We cannot undo the damage that has been caused in this data breach, but we can ask the commissioner to investigate the data breach and seek compensation from Medibank on behalf of those affected.”
Mr Shorten said Medibank customers would be feeling violated.
“We’re just going to have to muscle up and put whatever resources we need to protect people’s information from the government side,” he said.
Federal government agencies as well as Australian Federal Police have been investigating the hack.
Read More: news.google.com