This was published 2 years ago
‘You can’t trust a criminal’: Why Medibank won’t pay cyber ransom
By Colin Kruger, Nick Bonyhady and Sarah Keoghan
Medibank Private has drawn a line in the sand and will not pay a ransom to hackers as the company reveals more details about the personal information of 9.7 million current and former customers exposed by the cyberattack.
Medibank chief executive David Koczkar on Monday highlighted the complex risks involved in giving in to the demands of cybercriminals.
“You just can’t trust a criminal,” Koczkar said. “All the advice is that paying does not guarantee that the data will be returned. It dramatically increases the chance of people being exploited and more Australians being at risk.”
Cybersecurity Minister Clare O’Neil welcomed the decision.
“Medibank’s decision is consistent with Australian government advice. Cybercriminals cheat, lie and steal. Paying them only fuels the ransomware business model. They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals,” she said.
“I want Australia to be the most cyber-safe country in the world. The payment of ransoms directly undermines that goal.”
Medibank said it consulted extensively with cybercrime experts before making the decision.
“It is for these reasons we have decided we will not pay a ransom for this event.”
Shane Bell, a cybersecurity expert with McGrathNicol, backed Medibank’s stance.
“There’s absolutely zero verification provided back to you that they will do what they say they’ll do,” he said.
“You’re taking them at face value. They say they’ll delete the data, and not publish it, but in my experience they won’t provide it back to you even if you ask.”
Koczkar said the group was unaware of any cases where the hack has been linked to cybercrime directed against customers, but it was bracing for the possibility that this exploitation might now start with its refusal to pay.
This could occur via the publishing of customer data online or an attempt to contact customers directly.
“I encourage any customer who actually has their data compromised – because we have no evidence of that data being released externally – then please get in touch with us. Or, with the government through Report Cyber,” he said.
The update from Medibank said basic customer information of 9.7 million current and former customers was accessed, but it was able to narrow down the number of customers who had their private health information accessed to less than 500,000.
This includes 160,000 Medibank customers, about 300,000 customers of its budget ahm brand, and about 20,000 international customers.
The group said this included service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered. Additionally, about 5200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and about 2900 next of kin of these patients have had some contact details accessed.
Medibank said the data accessed for all 9.7 million current and former customers consisted of customer name, date of birth, address, phone number and email addresses. It represents about 5.1 million Medibank customers, about 2.8 million ahm customers and about1.8 million international customers
The company reiterated that no credit card details were stolen.
It might not be enough to convince customers that Medibank is worth staying with.
Sutherland resident Gary Laing, 61, has been with Medibank since he was 18 and found out about the hack while listening to Sydney’s radio 2GB.
Laing received two emails from Medibank saying his information was “safe” but he is less than convinced, labelling the breach of his private details as “disgusting”.
After years of loyalty to the insurance provider, Laing is expecting some level of compensation.
“I’m waiting on a law firm to start a class action against them,” he said. “I won’t move [providers] at the moment but will consider it if no compensation is paid to us.”
On Monday, Medibank also announced it would commission an external review with more details to be announced in the near future.
“Medibank commits to sharing the key outcomes of the review, where appropriate, having regard to interests of its customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.”
An update could come as early as the company’s annual shareholder meeting next week.
Medibank first revealed the cyber incident last month, but initially said there was no evidence customer data had been accessed. This escalated the following week when Medibank received a ransom note from the hackers, which was also sent to The Sydney Morning Herald and The Age.
The unknown group said it would sell 200 gigabytes of stolen data unless Medibank paid a ransom. The hackers also threatened to release confidential records of Medibank’s 1000 most famous customers.
The cyberattack is the subject of an Australian Federal Police investigation.
Koczkar said last month the company continued to work closely with agencies of the federal government, including the ongoing criminal investigation into this matter.
“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community,” he said.
Ratings agency Fitch said the Medibank cyberattack underscored that financial institutions and corporates with large amounts of sensitive client data were at higher risk. But the agency highlighted the fact that Australian companies were particularly vulnerable to attack.
“In Australia, the lack of sufficient penalties and accountability has made organisations more attractive targets and underlines a demand for a more comprehensive and vigorous approach,” Fitch said in a report on Friday.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.