Medibank says data posted to a dark web forum overnight appears to be the data stolen in its data breach.
Claiming this was the final dump, the alleged attacker posted six zipped files containing what appears to be raw data, the health insurer said in a statement this morning.
Medibank said “much of the data is incomplete and hard to understand” – for example, health claims data in today’s drop isn’t joined with customer name or contact details.
“While our investigation continues there are currently no signs that financial or banking data has been taken,” Medibank said.
“And the personal data stolen, in itself, is not sufficient to enable identify and financial fraud.”
iTnews has not attempted to locate the files, but a report by The Guardian said the Zip file is 5GB in size.
Medibank CEO David Koczkar said: “We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone.
“We will continue to support all people who have been impacted by this crime through our cyber response support program. This includes mental health and wellbeing support, identity protection and financial hardship measures.
“If customers are concerned, they should reach out for support from our cybercrime hotline, our mental health support line, Beyond Blue, Lifeline or their GP.”
Medibank said data exposed in the breach included:
- The name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives;
- Medicare numbers (but not expiry dates) for ahm customers;
- Passport numbers (but not expiry dates) and visa details for international student customers;
- Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers;
- Around 5200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2900 next of kin of these patients have had some contact details accessed; and
- Health provider details, including names, provider numbers and addresses.
The organisation said claims for “extras” services were not accessed; nor were credit card numbers or other banking details.
