The Medibank hackers appear to have released their full trove of information after the company refused to pay a ransom. 

Russian criminals who stole the personal information of about 10 million Australians from Medibank have dumped a series of very large files.

Cyber Security Minister Clare O’Neil and Attorney-General Mark Dreyfus say they have been advised that all hacked Medibank and AHM customer data was potentially released onto the dark web.

Screenshots purporting to show the conversation between Medibank and the hackers suggest the shady criminal group grew tired of apparent delaying tactics by the health insurer. 

Medibank refused to pay a US$10 million ransom demand, which was later reduced to US$9.7 million, or $1 per affected customer. According to the screenshots, the group allowed Medibank the option of paying them directly, or going through its ‘affiliate program’, in which another group would be allowed to collect an even higher ransom for the data.

Medibank said it is still in the process of analysing the latest leaked data, but it “appears to be the data we believed the criminal stole.”

“While our investigation continues there are currently no signs that financial or banking data has been taken,” Medibank said. 

“And the personal data stolen, in itself, is not sufficient to enable identity and financial fraud. The raw data we have analyzed today so far is incomplete and hard to understand.”

Australia’s data and privacy watchdog, the Office of the Australian Information Commissioner (OAIC) has announced an investigation into the personal information handling practices of Medibank. 

“If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention,” the OAIC said.

The hack occurred before the Australian parliament passed legislation allowing fines of up to $50 million for repeated or serious data breaches.

The Australian Federal Police (AFP) claims to know the identity of the individuals responsible for the attack on Medibank, and that they are based in Russia. The Russian Embassy in Canberra has not backed the allegations.

The attackers already appear to be moving on from the Medibank hack, having posted new victims to its dark web blog, including New York-based medical group Sunknowledge Services and the Kenosha Unified School District.