This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage.
Medibank CEO David Koczkar
Then there is the matter of principle. According to Fergus Hanson, director of ASPI’s international cyber policy centre, the more companies succumb to ransom demands, the greater the incentive for cyber criminals to continue.
Loading
That said, in Hanson’s experience many companies do pay criminals – and so widespread is this capitulation that specialist law firms, which advise and act as intermediaries between data thieves and victims, have mushroomed, and cyber insurance is commonplace.
In something of an ironic twist, despite being an insurer, Medibank chose not to buy cyber insurance because the number of caveats contained in the policy rendered it poor value for money.
Another factor that needs to be thrown into the ransom payment calculus is whether there is a threat to life. There is clearly a threat to mental health for those Medibank customers that have particularly sensitive information contained in their medical files.
For example, those that have been treated as a result of domestic violence or those whose relationships would be under threat if it was revealed they had been treated for a sexually transmitted disease. There could be numerous consequences for patients that have been treated for drug and alcohol addiction, or patients with depression or even heart conditions that they would rather keep hidden from their employer.
“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community,” Koczkar said on Tuesday.
Even if the criminals are paid, there remains a risk that the stolen data will be sold to scammers or state-sponsored actors. That said, the hackers are more likely to act within the constraints of their own business models. If the criminals don’t do what they promise, they won’t have the leverage to demand ransoms in future.
Hanson says the best way to combat cyber criminals is for Australia to ban organisations from paying ransoms. But a lot, and likely the majority, of these incidents go unreported as businesses see them as a threat to profits and brand.
Medibank’s shares are due to begin trading again on Wednesday and more updates are likely on their way. With investigations underway to determine the full magnitude of the breach, Medibank’s board and investors should start counting the dollars the insurer will have to part with.
The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.