Add Category
Medibank says no ransom payment will be made to the criminal responsible for the recent data hack as the the private health provider put a further head figure in data losses.
Key points:
- Medibank is yet to confirm the figure of the ramson demand
- But it believes paying could have "the opposite effect" and encourage criminal behaviours
- The number of affected customers has grown to 9.7 million
The company believes the criminal accessed the name, date of birth, address, phone number and email address for about 9.7 million current and former customers and some of their authorised representatives.
This figure, which has more than doubled since the last update from the company, represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers.
Medibank also believes that all of the customer data accessed could have been stolen, given the nature of this crime.
In late October, the company said the criminal entity behind the cyber attack on the company had access to the data of at least 4 million customers — some of which includes health claims.
On Monday, the health insurer confirmed the criminal had also accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers.
This includes service provider names and locations, where customers received certain medical services, and codes associated with diagnosis and procedures administered.
Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed.
Why won't Medibank pay the ransom?
Medibank wouldn't confirm when it got the ransom request or how much it was for security reasons but it refused to make any ransom payment saying the decision "is consistent with the position of the Australian government".
The federal government has yet to respond to the latest data breach update.
"Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published," Medibank chief executive David Koczkar said in a statement.
"In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.
"It is for these reasons we have decided we will not pay a ransom for this event."
Cybersecurity expert Lyria Bennett Moses said that Medibank was caught "between a rock and a hard place" and there's no straight answer to whether organisations should pay ransom.
"There is no right answer here," Professor Moses told the ABC.
"People pay ransom, both they are taking on legal risk in the sense that there is the possibility that the the organisation can be accused of money laundering or funding terrorism ... [and] essentially they are funding more of this kind of cybercrime as well.
"On the other hand, by not paying the ransom, they increased the risk that individuals whose data is caught up in this, who obviously have done nothing wrong, will be directly harmed."
Most identity documents for local customers safe
Medibank has also confirmed that the criminal did not access primary identity documents, such as drivers licences, for Medibank and ahm resident customers, adding it does not collect primary identity documents for resident customers except in exceptional circumstances.
Health claims data for extras services, such as dental, physio, optical and psychology, and credit card and banking details were not accessed either, the insurer said.
However, Medicare numbers (but not expiry dates) from ahm customers and passport numbers (but not expiry dates) and visa details from international student customers were also hacked.
Medibank apologised to its customers and said it is "committed to taking decisive action to protect our customers".
It said it will commission an external review and continue to strengthen its ability to safeguard its customers.
All Medibank and ahm customers have been urged to contact the company's cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or through an information page on the firm's website.
Medibank said its customers could also speak to experienced and qualified mental health professionals 24/7 over the phone for advice or support around mental health or wellbeing (1800 644 325).
Additional reporting by Emilia Terzon