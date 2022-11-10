A cyber extortionist has demanded about $10 million to stop leaking medical records of Australians caught up in one of the country’s worst cyber attacks.

In a message posted on the dark web early Thursday morning, the hacker said he was demanding $1 from Medibank, Australia’s largest private health insurance company, for each of the 9.7 million customers affected in a massive data breach last month.

The cybercriminal organization, or criminal organization, has also released information that it claims links clients to their abortions, after earlier this week it released a “bad list” showing clients who have received treatments for addiction, mental health problems and HIV.

Local media has linked a dark web forum used to spread the hacked data to the REvil crime group, which Russian authorities said they shut down earlier this year at the request of the United States.

Medibank CEO David Koczkar on Thursday condemned the hacker’s actions as “disgraceful” while repeating his apologies to customers.

“We remain committed to full and transparent communication with customers and will communicate with customers whose data has been published on the dark web,” Kojkar said.

“Wearing people’s private information in an attempt to extort payments is malicious, and it is an attack on the most vulnerable members of our society.”

Medibank refused to pay the ransom, citing advice from cybercrime experts that doing so would not guarantee customer information would be returned and could put “more people in harm’s way by making Australia a bigger target”.

The Australian Federal Police, which is investigating the cyber attack, has warned that downloading or even just accessing data could be a criminal offence.

Home Affairs Secretary Claire O’Neill described the hackers as “phantom criminals”.

“I cannot express my disgust with the scum who are at the center of this criminal act,” O’Neill told Parliament on Wednesday.

The cyber attack, which first surfaced last month, is the latest in a string of big data breaches rocking Australia.

Optus, Australia’s second-largest telecoms provider, announced in September that the data of up to 10 million customers had been compromised in a cyber attack on the company.