The Australian Federal Police (AFP) has claimed the main culprits behind Medibank’s breach that exposed millions of customers’ data are located in Russia.
AFP commissioner Reece Kershaw announced at a media conference that its intelligence flagged “a group of loosely affiliated cyber criminals” as being behind the data breach of the health insurer and are likely responsible for other "significant" breaches around the world.
He said the agency believes those that are responsible for the breach are located in Russia, with some affiliates potentially based in other countries.
Kershaw also said the AFP believes it knows the identities of those that were responsible for the breach but refused to name them and added that it will be holding talks with Russian law enforcement about the individuals.
“To the criminals: We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system,” he said.
The discovery of the major nationality behind the theft of Medibank's data comes weeks after the initial announcement on 21 October, when the health insurer claimed 200GB of sensitive information was stolen.
At the time, Medibank said the data included first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.
The claim also included the location of where a customer received medical services, and codes relating to their diagnosis and procedures.
Days later on 25 October, Medibank said that the theft was larger than it initially thought as criminals claimed to have 1,000 ahm records of personal and health data.
On 8 November, Medibank said the cyber criminals claimed they would release customer data on what the health insurer alleged was the “dark web” in 24 hours. The cyber criminals did so on 9 November and, as of publishing, have continued to do so every day since.
Meanwhile, the federal government is looking to introduce laws that fine companies for serious or repeated privacy breaches, with it tabling changes to the Privacy Act in late October.
Under the proposed changes, the maximum fine for data breaches will rise from $2.2 million to up to $50 million, 30 per cent of adjusted turnover or three times the value of any benefit obtained through the misuse of information, whichever is the greater amount.
The AFP announcement on Medibank’s breach also comes a day after Optus said it has put $140 million aside as an ‘exceptional expense’ towards recovery activities following its mass cyber security breach in September.