Medibank says it won’t pay ransom for customer data stolen in cyber-attack
Medibank is refusing to pay a ransom to the alleged hacker who stole data relating to 9.7 million customers because there is no way the organisation can “trust criminals” not to further exploit people, the health insurer’s CEO, David Koczkar, says.
Last month Medibank revealed a hacker using compromised high-level credentials had been able to access the personal information of up to four million customers, including ahm and international student customers.
The company had said it had been in contact with the alleged attacker, and there had been speculation Medibank might pay a ransom to prevent the release of the data online.
However, in a statement to the Australian Stock Exchange on Monday, Koczkar said the advice received from the company – along with the Australian government position – was that no ransom should be paid.
In an interview with Guardian Australia, Koczkar said to pay a ransom amounted to extortion and might have resulted in customers or other businesses being targeted.
“You just can’t trust the criminals. Our advice is that is not paying the ransom will provide the best security for our customers and also other Australians,” he said.
The chief executive would not reveal how much the alleged hacker had been asking for but said the amount was not a factor in the company’s decision. He said the decision was based on advice from cybercrime experts and the federal government.
Medibank has determined the scale of the breach is now much larger than earlier thought, with 9.7 million current and former customers having their names, dates of birth, phone numbers and email address accessed. That includes 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers.
Medibank says health claims for around 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers were accessed. The information exposed includes service provider name, and codes associated with diagnosis and procedures.
There were also 5,200 My Home Hospital patients who had their personal and health data accessed, and 2,900 next of kin of these patients who had some contact details accessed.
Sign up for our free morning and afternoon email newsletters from Guardian Australia for your daily news roundup
The attacker was also able to access Medicare numbers of ahm customers, and passport numbers and visa details for international student customers.
Medibank has determined that the attacker did not access primary ID documents such as driver’s licences for Medibank and ahm customers, and did not access credit card or banking details, or health claims data for extras services such as dental, physio or optical.
The company said it now believed that all of the data accessed could have been taken, and advised customers to be vigilant that the attacker may now publish the data online or attempt to contact customers directly.
“The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Koczkar said.
The Australian federal police are continuing to investigate the attack.
Koczkar also revealed Medibank plans to release as much as possible from a separate independent investigation into the attack so that other businesses might be able to learn from how the attack occurred.
“We want to do everything we can to support our own customers but other other people in this country from cyber attacks,” he said.
He said multi-factor authentication – which is designed to prevent people who steal credentials being able to gain access to a system – were in place, but did not say whether it had also been compromised.
Medibank said there had been no more attempts to access its network since it shut out the attacker in early October. The company has been able to piece together the extent of the attack through what it said was a “complex process” that involved people analysing millions of records.
Current and former customers will be informed as to what was accessed and what they should do, Medibank said, with the advice to come via email, letter or via phone in some cases.
The company said it was required to keep the data of customers for up to seven years from when they cease being a Medibank customer “but in some instances longer”. When asked whether Medibank would like to see those laws changed, Koczkar said it was a discussion Australia needed to have.
“We need data to support our customers as they access to health and wellbeing services. That question is an important question for the community,” he said.
“I think there needs to be consultation [and] discussion.”
The company has set up a counselling hotline (1800 644 325) for vulnerable customers concerned about the breach. Medibank has also said it will provide hardship support for some customers, as well as ID protection and monitoring, and reimbursement for ID replacements for those whose identities have been compromised.