Australia has identified and imposed sanctions on a Russian individual for his involvement in the nation’s most significant data breach. In late 2022, personal information belonging to 9.7 million Australians was unlawfully accessed from Medibank, the country’s largest health insurer. Subsequently, sensitive documents, including abortion records, were posted online.

The cyber sanctions, marking a historic move in Australia, involve financial penalties and a travel ban for Aleksandr Ermakov. Although limited information has been disclosed about Mr. Ermakov, Australian intelligence authorities assert his affiliation with the notorious Russian cybercrime group REvil, known for its involvement in various cyberattacks across Europe, the United States, and the United Kingdom.

Home Affairs Minister Clare O’Neil, in announcing the sanctions on Tuesday, characterized the Medibank hack as “the single most devastating cyber-attack we have experienced as a nation.” She expressed concern over millions of individuals having their personal data exposed online, referring to the perpetrators as “cowards and scumbags.” Minister O’Neil pledged to reveal their identities and ensure accountability.

The breach, still under investigation by authorities, may result in additional penalties for other individuals involved. This incident marks the inaugural application of cyber sanctions legislation enacted in 2021, enabling the government to impose financial consequences on those implicated in significant online attacks.

Australia has confronted numerous large-scale data breaches in recent years, but none have had the profound impact of the Medibank hack. Cybercriminals gained access to login details that provided entry to all of Medibank’s customer data, including medical records of diverse individuals, ranging from athletes and media figures to Prime Minister Anthony Albanese.

Following Medibank’s refusal, with government support, to pay a ransom, the cybercriminals began releasing data online. Initial files, labeled “good-list” and “naughty-list,” contained health claims data, including records of mental health or addiction treatment, alongside names, addresses, birthdates, and government ID numbers. Subsequently, they posted a file titled “added one more file abortions.csv…” disclosing information about certain customers’ end-of-pregnancy procedures.

At the time, Medibank apologized for the “malicious weaponization” of private information, with CEO David Koczkaro cautioning that the data release could deter people from seeking medical assistance. In the aftermath, multiple class actions have been initiated, asserting that the firm should have taken better measures to safeguard such sensitive data.