Medibank Hacker Sanctioned for Australia’s Worst-Ever Data Breach

Australia has announced a series of "unprecedented" sanctions targeting a newly named hacker linked to the 2022 Medibank data breach. 

Aleksandr Ermakov, who was unveiled yesterday as one of the hackers involved in the incident, has been hit with sanctions including a travel ban and financial penalties in a first-of-its-kind move from the Australian government. 

"This is the first time an Australian government has identified a cyber criminal and imposed cyber sanctions of this kind and it won't be the last," said Australia's Home Affairs Minister Clare O'Neil. 

“These people are cowards." They hide behind technology, and today the Australian government is saying that when we put our minds to it, we'll unveil who you are, and we'll make sure you are accountable."

The move follows an 18-month investigation into the Medibank breach, which saw the personal data of up to 9.7 million customers – including Medibank numbers and sensitive health information – being leaked on the dark web. 

Hackers had stolen login details which granted them access to all of Medibank's customer data - including the medical records of victims from athletes and media figures to Australian Prime Minister Anthony Albanese.

They began leaking the data online after Medibank’s insurer – backed by the Australian government – refused to pay a ransom.

"Medibank, in my view, was the single most devastating cyber attack we have experienced as a nation," O'Neil said Tuesday. 

"We all went through it, literally millions of people having personal data about themselves, their family members, taken from them and cruelly placed online for others to see."

What was the Medibank data breach?

The Medibank data breach was a major cybersecurity incident that occurred in October 2022, affecting 9.7 million current and former customers of the Australian health insurer Medibank and its subsidiary Ahm. It is considered the worst data breach in Australia's history.

Hackers gained access to Medibank's systems and stole a massive amount of customer data, including names, addresses, dates of birth, Medicare numbers, and for some, even sensitive medical information like diagnoses, procedures, and abortion records.

The hackers initially released some of the stolen data on the dark web in December 2022, causing significant anxiety and distress among affected individuals. In January 2023, they released the remaining data, claiming it was "case closed" for the hack.

Millions of Australians had their personal and health information exposed, potentially putting them at risk of identity theft, fraud, and discrimination.

The breach caused significant reputational damage to Medibank and raised concerns about the security of personal data in Australia. The Australian Federal Police are still investigating the breach, and more people may face penalties.

Who is Aleksandr Ermakov?

Little has been made public about Aleksandr Ermakov, but Australian intelligence authorities say he is part of the Russian cybercriminal gang REvil and had some role in breaching Medibank’s private network.

A sanction notice filed in the Federal Register of Legislation said that the 33-year-old hacker also goes by the pseudonyms Alexander Ermakov, Gustave Dore, aiiis_ermak, blade_runner or JimJones online, and included photos of Ermakov officials had obtained during the investigation. 

REvil was reportedly dismantled by Russian authorities in 2022 after extracting an $11 million ransom from JBS Foods, a major food conglomerate. But the group has been linked to a range of cyber-attacks across Europe and the US. 

Defense Minister Richard Marles said Australia's intelligence agencies had tracked down Ermakov with the aid of the National Security Agency in the United States, and GCHQ in the United Kingdom.

"Ermakov doesn't have anonymity," he said. "We have named him for the first time globally. And his identity is now on display for every agency around the world."

‘Hack the hackers’

The sanctions decision was signed by the foreign affairs minister, Penny Wong, on Monday. 

“The listing acts in our national interest to impose costs on, influence and deter those responsible for malicious cyber activity, Ms Wong told reporters. 

"This will mean it's a criminal offence, punishable with up to 10 years imprisonment, to provide assets to him — or to use or deal with his assets," she told reporters.

Read: Biggest Cyber Attacks in History

Australia has strengthened its cyber security laws in the wake of the Medibank attack, pledging that its intelligence agencies would proactively seek to "hack the hackers."

But Monash University cyber crime expert Nigel Phair said deterring hackers from cybercrime would be difficult, even with drastic measures like naming and shaming them. 

"This is unlikely to dissuade other internationally-based cyber criminals from targeting Australian organizations or individuals, but is a step in the right direction," he said.