Medibank Refuses to Pay Ransom After Data Breach

Australia's largest health insurer Medibank has announced it will not pay a ransom to the threat actors behind the October data breach affecting 9.7 million customers.

Writing on LinkedIn over the weekend, Medibank CEO David Koczkar said that, based on the advice the company has received from cybercrime experts, they believe that there is only a limited chance paying a ransom would ensure the return of customers' data and prevent it from being published.

"Paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm's way by making Australia a bigger target," Koczkar added.

Jordan Schroeder, managing CISO at Barrier Networks, agreed that paying ransoms could encourage criminal behavior. 

"All recommendations from law enforcement are to not pay ransoms, as it equips and rewards criminal behavior. If people stopped paying, then ransomware would end. Legislation is growing that is making the paying of ransoms illegal, but these laws are in their infancy." 

In the LinkedIn write-up, Koczkar apologized "unreservedly" but said that, based on Medibank's investigation, the criminal would have accessed the personal details of around 5.1 million Medibank, 2.8 million ahm (Australian Health Management) and 1.8 million international current and former customers. Also at risk was health claims data for roughly 160,000 Medibank, 300,000 ahm and 20,000 international customers.

However, the criminal did not allegedly access credit card and banking details or health claims data for "extras" services.

"I strongly encourage customers to remain vigilant as the criminal may publish customer data online or attempt to contact customers directly," Koczkar warned.

"We're continuing to inform affected customers of what data we believe has been accessed or stolen and provide advice on what they should do and stand ready to support them."

As a response to the incident, Koczkar added that Medibank is expanding its Cyber Response Support Program to include a cybercrime health and well-being line, proactive support for vulnerable customers, tailored preventative health advice and resources specific to cybercrime.

"We continue to work with the Australian Government, including the Australian Cyber Security Centre and the Australian Federal Police," the executive wrote.

"In addition to our ongoing investigations, we're commissioning an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers."

The Medibank data breach is only the latest in a series affecting firms in Australia in the last few months. These include Optus and Telstra, among others.

What’s Hot on Infosecurity Magazine?