Medibank refuses pay ransom after 9.7m customers’ details stolen

Australian health insurance company Medibank has said that it will not be paying a ransom to the hacker that accessed the personal details for 9.7m current and former customers. 

The data breach took place after a hacker gained unauthorized access to Medibank's internal servers on October 13. Originally, Medibank believed that no customer information had been stolen during the hack, however the company was then contacted on October 16 by the supposed hacker, who threatened to sell the data if their ransom demands were not met.

After reviewing a sample of the 200GB worth of data the malicious actor claimed to have stolen, Medibank confirmed that the claims were legitimate. Further investigations by Medibank into the cyber attack revealed how much data was accessed and the nature of data stolen.

The details accessed in the data breach included customer’s names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers and visa details, in addition to the health claims data for 192,000 customers. The health claims data accessed includes service provider name and location, the location where the customer received medical services and codes associated with procedures administered and diagnoses given. Medibank has said it will continue to contact those affected by the breach.

The CEO of Medibank, David Koczkar, explained the decision: "Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. 

"In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target. It is for these reasons we have decided we will not pay a ransom for this event," Koczkar added.  

Medibank warned customers to "stay vigilant" as, based on the nature of the breach, the company believes all data accessed could have been taken by the hacker. Additionally, Medibank cautioned customers affected by the breach that the hacker may publish their details online or try and contact them directly.

In response to the cyber security incident, Medibank has expanded its Cyber Response Support Program to include "mental health and wellbeing support, identity protection and financial hardship measures". The company has also said that it will be commissioning an external review to "ensure that [the company] learn[s] from th[e] event" and "continue[s] to strengthen [its] ability to safeguard [its] customers".

The company has also said it will continue to work with the Australian Government, the Australian Cyber Security Centre and the Australian Federal Police, as well as continuing to monitor its network for any suspicious activity by scaling up its analytical support and adding further detection and forensics capability across its systems.