Medibank boss, David Koczkar apologises after hack, refuses ransom demand
CEO David Koczkar apologised to the health insurer’s 3.8 million members but said the company would not be complying with the hacker’s demands.
Hacking
Don't miss out on the headlines from Hacking. Followed categories will be added to My News.
Australia’s biggest health insurer Medibank has revealed shocking new details surrounding a cyber attack but warned hackers they “will not pay any ransom demand for this data theft”.
Revealing for the first time new details on the scale of the cyber hack, Medibank has confirmed the hackers accessed health claims data for around 160,000 Medibank customers and around 300,000 ahm customers.
Stream more tech news live & on demand with Flash. 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer available for a limited time only >
In recent weeks, a ransom note emerged threatening to release or sell to third parties personal information of persons of high media interest including diagnoses of sensitive medical conditions or addictions and credit card information.
The ransom note claimed to have access to sensitive medical information about “politicians, actors, bloggers, LGBT activists, drug addicted people, etc.”
Medibank confirmed in today’s statement that the stolen data included information about where customers received certain medical services, and codes associated with diagnosis and procedures administered.
In a statement to the ASX, Medibank chief executive David Koczkar apologised to the company’s 3.8 million members but said that there was no guarantee that paying the ransom would stop the hackers from using the stolen data and sensitive medical information.
“We take seriously our responsibility to safeguard our customers. The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Mr Koczkar said.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”
“It is for these reasons we have decided we will not pay a ransom for this event,” he said.
In new information detailing the extent of the cyber attack, Medibank also revealed the hackers had:
• Accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives.
• This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers
• Did not access primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers. Medibank does not collect primary identity documents for resident customers except in exceptional circumstances
• Accessed Medicare numbers (but not expiry dates) for ahm customers
• Accessed passport numbers (but not expiry dates) and visa details for international student customers
• Accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered. Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed
• Accessed health provider details, including names, provider numbers and addresses
• Did not access health claims data for extras services (such as dental, physio, optical and psychology)
• Did not access credit card and banking details
Medibank said customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly.
“Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers,” he said.
Since the attack was first detected on October 12, Medibank said no further suspicious activity inside its systems has been detected.
Medibank said it was required by law to retain certain customer (including former customer) information for particular periods of time, generally for seven years from when a customer leaves us, but in some instances longer.
The company said it had expanded a dedicated Cyber Response Support Program.
The program already includes:
• Hardship support for customers who are in a uniquely vulnerable position as a result of this crime which can be accessed via our contact centre team (13 23 41 for Medibank and international customers, 13 42 46 for ahm customers and 1800 081 245 for MHH patients)
• Specialist identity protection advice and resources through IDCARE’s purpose-built Medibank page
• Free identity monitoring services for customers whose identity has been compromised as a result of this crime
• Reimbursement of ID replacement fees for customers who need to replace any identity
documents that have been compromised as a result of this crime
Originally published as Medibank boss, David Koczkar apologises after hack, refuses ransom demand
‘Dystopian’: 64 million people exposed
Researchers have exposed the paper thin security protecting data collected by McDonald’s AI.
Dire warning after Qantas breach
Qantas’ latest data breach is just one of many which has hit Australian companies over the years - but could the flagship airline have been better prepared?