Australian health insurer Medibank has revealed it’s been contacted by a group that claims to have its customers’ data and is threatening to distribute it.

As The Register reported last week, on October 13 the formerly government-owned insurer advised [PDF] it had spotted “unusual activity on its network” and had taken systems for sub-brand “ahm” offline, along with apps that deliver an insurance product for overseas students. The company said it could find no evidence that sensitive data had been accessed, but had hired cyber security firms to make sure it was on top of the situation.

An October 17, the company issued an update [PDF] describing the incident as “consistent with the precursors to a ransomware event” and explained it had taken down the apps mentioned above out of an abundance of caution, and had used the downtime to improve security across its operations.

The company’s next update, on October 19, offered the following far nastier diagnosis:

“This is a new development and Medibank … is working urgently to establish if the claim is true, although based on our ongoing forensic investigation we are treating the matter seriously at this time,” the latest advisory adds.

The company, which listed on the Australian Securities Exchange (ASX) in 2014 after nearly 40 years as a government-owned non-profit insurer, advised the ASX that it was suspending trading of its shares amid likely disruptions to services.

Australian media report that whoever contacted Medibank has threatened to email personal data to people on the database, to prove they possess data describing the insurer’s customers. If Medibank doesn’t discuss payment to prevent wider release, the alleged attackers say they’ll sell the data they lifted.

Australia’s home affairs minister has rated the incident as “significant” and warned Australians that cyberattacks are the new – and unpleasant – normal.

Statement on Medibank cyber incident:

A significant cyber security incident has occurred within Medibank. The facts are continuing to be established.

I have spoken with the CEO of Medibank, David Koczkar, and the heads of the @ASDGovAu and the @AusFedPolice.

— Clare O’Neil MP (@ClareONeilMP) October 19, 2022

The escalation of the incident comes after Singapore-owned Australian telco Optus leaked nearly ten million records and earned plenty of anger for an inconsistent and unempathetic response.

Between the Medibank breach, the Optus hack, and some smaller incidents, infosec has dominated Australia’s news cycle for almost a month. The heat is on all organizations to get their cybers in order … if they can. ®