Medibank says it will not pay ransom in hack that impacted 9.7 million customers

Medibank, one of Australia’s largest health insurance providers, stated on Monday that it would not make a ransom payment after recently disclosing that hackers managed to gain access to all of its customers’ personal data.

The organization initially announced last month that it had foiled a ransomware attack on its systems. The company has since confirmed that — based on its investigation to date — the criminals accessed data including the “name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorized representatives.”

Alongside this personally identifying information, the criminals are also believed to have accessed health claims data for 480,000 customers, including “codes associated with diagnosis and procedures administered.”

All of the data which the criminals accessed “could have been taken” Medibank added.

The company explained that based on “the extensive advice we have received from cybercrime experts” it believes “there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” the statement added.

Clare O’Neil, the Australian minister for home affairs and cybersecurity, described on Monday the company’s decision as “consistent with Australian government advice” and warned that paying ransoms directly undermined the country’s security.

“Cyber criminals cheat, lie and steal. Paying them only fuels the ransomware business model. They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals,” she added.

Medibank shares dropped 18% two weeks ago following the company confirming that customer data had been stolen, wiping around AUS $1.7 billion ($1.1 billion) from the company’s market value. 

Medibank, which was formerly government owned before being privatized as a not-for-profit in 2014, has around 3.7 million customers in Australia and reported an annual group revenue of AUS $6.9 billion ($4.33 billion) in 2021.

The company warned the ASX last month that the incident was going to cost it at least AUS $25 million to address, even before considering customer compensation schemes, regulatory fines, and potential legal costs if it faces a class action.

Its breach followed a security incident affecting Optus, the country’s second-largest telecommunications company, which was initially described as a “sophisticated attack.”

This framing prompted significant criticism of Optus, including from O’Neil, who said the incident was “quite a basic hack.”

Writing on Twitter in response to Medibank’s announcement about not paying a ransom, O’Neil added: “We see and recognise the urgent need to address the conditions that have allowed the two largest cyber attacks in our history to occur within the space of two months.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.