In late 2022, the personal information of 9.7 million Australians was stolen from Medibank, the country’s largest health insurance company.
Sensitive documents, including abortion records, were then published online.
The cyber sanctions, the first of their kind in Australia, include financial penalties and a travel ban on Aleksandr Ermakov.
Little has been made public about Mr. Ermakov, but Australian intelligence officials say he was part of REvil, a Russian cybercrime gang linked to attacks across Europe, the US and the UK.
Announcing the measures on Tuesday, Home Affairs Minister Clare O’Neil called the Medibank hack “the most devastating cyber attack we have experienced as a nation”.
It is the first time the government has used the cyber sanctions law, passed in 2021, which imposes financial penalties on people involved in major online attacks.
Australia has faced a number of major data breaches in recent years, but few have rocked the country like the Medibank attack.
Cybercriminals had stolen login credentials that gave them access to all of Medibank’s customer data, including the medical records of everyone from athletes to media figures to Prime Minister Anthony Albanese.
They began publishing the data online after the insurer refused to pay a ransom with government backing.
Medibank apologized at the time for what it called the “malicious weaponization” of private information.
Since then, several class action lawsuits have been launched arguing that firms should better protect such sensitive data.