The Medibank hack has worsened further, with the company warning some of its employees that their most sensitive data has been stolen.
In an email to employees late Monday, the health insurance company said information, including mobile and business device numbers, had been stolen by the hackers.
The theft was part of the same hack that involved the data of nearly 10 million of the company’s current and former customers, including private health information of about 500,000 people.
These details are posted on a blog by the hackers, including the latest information posted on Monday. It contained 500 records for people who have been diagnosed with mental illness, among other things.
The Russian criminals said they did not plan to post more information until Friday, and said they would closely monitor Medibank’s shareholder meeting on Wednesday.
“There are still more records for everyone to know,” they wrote in an update.
“We will announce that the next piece of data we will publish on Friday will completely bypass this week in the hope that something meaningful has happened by Wednesday.”
Medibank emailed its staff Monday night to reveal data obtained by the hackers, including information on about 900 current and former employees.
“Hello everyone. We are sorry to inform you that some data related to your work device for the time you worked at Medibank has been stolen during the recent cybercrime,” the email read.
“We recognize the distress this may cause you and apologize that this has happened.”
The personnel information included names, email addresses, cell phone numbers and work device details. It was posted on the dark web last week.
“Our security team has advised that the above information can be used for more spam, such as spear phishing and social engineering,” Medibank wrote.
Spear phishing is an email or electronic communication scam targeting a specific individual, organization or company. Social engineering involves tricking people into giving up private information.
Medibank CEO David Koczkar apologized Monday for the latest release of sensitive customer information.
“We will continue to support all people affected by this crime through our Cyber Response Support Program,” he said.
“This includes mental health and wellness support, identity protection, and measures against financial hardship.”
Several health and community organizations have called on major social media outlets to remove posts containing sensitive information.
In the meantime, Medibank may take legal action because of the data breach.
Law firm Maurice Blackburn confirmed it is investigating whether clients affected by the hack could be entitled to compensation.
The company’s lead lawyer, Andrew Watson, said the data breach was one of the most serious in Australia.
“Companies that hold sensitive health information of their customers have an important obligation to ensure that the information is protected, consistent with the sensitivity of that data,” he said.
“Medibank has a greater responsibility to provide more safeguards to secure the personal and health claims information it collects from its customers.”
As the government looks to improve cybersecurity legislation, Home Secretary Clare O’Neil has indicated that it could soon be illegal for companies to pay a ransom to hackers if they fall victim to a data breach.
“The way we think about the task of reform … is some quick wins, things we can do quickly, and getting the new police operation up and running is one of them,” Ms O’Neil told the ABCs Insiders on Sunday.
Greens leader Adam Bandt said he welcomed the idea of banning ransoms but indicated other measures should be considered.
“We need a holistic assessment of whether too much data is being held in the first place, because once you collect all that data, it becomes a target for hackers,” he said in Melbourne.
“We need a general overview of whether companies are keeping too much data in the first place and whether that data is properly secured.”
Mr Bandt said consideration should be given to whether Medibank customers should receive compensation after the hack.
“It will be much better to prevent these kinds of attacks and avoid violating people’s privacy because if the data wasn’t kept this way in the first place, people could be safer,” he said.