Medibank hack: Russian sanctioned over Australia's worst data breach

A Russian man has been named and sanctioned for his role in Australia's worst data breach.

The personal information of 9.7m Australians was stolen from the country's largest health insurer, Medibank, in late 2022.

Sensitive documents, including abortion records, were then posted online.

The cyber sanctions - the first of their kind in Australia - include financial penalties and a travel ban for Aleksandr Ermakov.

Little has been made public about Mr Ermakov, but Australian intelligence authorities say he is part of the infamous Russian cyber-crime gang REvil - which has been linked to attacks across Europe, the US and UK.

Announcing the measures on Tuesday, Home Affairs Minister Clare O'Neil described the Medibank hack as "the single most devastating cyber-attack we have experienced as a nation".

"Literally millions of people having personal data about themselves, their family members, taken from them and cruelly placed online for others to see," she said.

"These people are cowards and scumbags... we'll unveil who you are and we'll make sure you're accountable."

Authorities are still investigating the breach, Ms O'Neil added, and more people may face penalties.

It is the first time the government has used cyber sanctions legislation, passed in 2021, which applies financial punishments to people involved in significant online attacks.

Australia has faced a string of large data breaches in recent years, but few - if any - have rocked the country like the Medibank hack.

The cyber criminals had stolen login details which granted them access to all of Medibank's customer data - including the medical records of everyone from athletes and media figures to the Prime Minister Anthony Albanese.

They began posting the data online after the insurer - with the government's support - refused to pay a ransom.

They first released a set of files named "good-list" and "naughty-list" which contained, among other things, people's health claims data - including records of treatment for mental health or addiction - as well as names, addresses, birthdates, and government ID numbers. Soon after they posted: "added one more file abortions.csv...", about some customer's end of pregnancy procedures.

Medibank at the time apologised for what it called the "malicious weaponisation" of private information, with CEO David Koczkaro warning that the data release could stop people from seeking medical assistance.

Several class actions - which argue the firms should have better protected such sensitive data - have since been launched.