Medibank Private says it will not pay a ransom to the hackers who accessed personal information of 9.7 million current and former customers.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Medibank chief executive David Koczkar said in a statement on Monday morning.
The hackers have threatened to sell 200 gigabytes of stolen data unless Medibank paid a ransom. Credit:AP
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”
“It is for these reasons we have decided we will not pay a ransom for this event.”
The update from Medibank also said basic customer information of 9.7 million current and former customers was accessed, but it was able to narrow down the number of customers who had their private health information accessed to less than 500,000.
This includes 160,000 Medibank customers, around 300,000 customers of its budget ahm brand, and around 20,000 international customers.
The group said this includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered. Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed.
Medibank said the data accessed for all 9.7 million current former customers consists of customer name, date of birth, address, phone number and email addresses. It represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers
The company reiterated that no credit card details were stolen.
Cybersecurity Minister Clare O’Neil has said previously that the federal government is against the payment of cybercrime ransoms, but confirmed it is not illegal.
“The formal advice of the Australian Government is don’t pay ransoms,” O’Neil has said.
“These people are hard criminals and they are dishonest. They’ll tell you all sorts of things about what will happen in the aftermath of paying a ransom and by nature these people are liars and we suggest not co-operating with them.“
Medibank first revealed the cyber incident last month, but initially said there was no evidence customer data had been accessed. This escalated the following week when Medibank received a ransom note from the hackers which was also sent to the Sydney Morning Herald and The Age.
The unknown group said they would sell 200 gigabytes of stolen data unless Medibank paid a ransom. The hackers also threatened to release confidential records of Medibank’s 1000 most famous customers.
The cyberattack is the subject of an investigation by the Australian Federal Police.
Koczkar said last month that the company continued to work closely with agencies of the federal government, including the ongoing criminal investigation into this matter.
“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community,” he said.
Ratings agency Fitch, said the Medibank cyberattack underscored that financial institutions and corporates with large amounts of sensitive client data were at higher risk. But the agency highlighted the fact that Australian companies were particularly vulnerable to attack.
“In Australia, the lack of sufficient penalties and accountability has made organisations more attractive targets and underlines a demand for a more comprehensive and vigorous approach,” Fitch said in a report on Friday.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
Most Viewed in Business
From our partners
Source: Read Full Article