Medibank will not pay ransom in hack affecting 9.7 million customers

Medibank, one of Australia’s largest health insurance providers stated today that it will not pay the ransom affecting its corporate network and digital data. Late last month, Medibank announced that it had been hit with a cyberattack and that hackers had stolen over 200GB of data.

Clare O’Neil, Minister for Cybersecurity in Australia, tweeted today confirming the news.

O’Neil continued that the Australian government is “stepping up” on cybersecurity and ransomware after “a wasted decade for digital reform.”

Medibank initially claimed that the breach was limited to the “location of where a customer received medical services and codes relating to their diagnosis and procedures,” but later revealed hackers obtained access to “all personal customer data.”

Company spokespeople now confirm that customer “name, date of birth, address, phone number, and email address for around 9.7 million current and former customers and some of their authorized representatives” have been stolen.

However, Medibank is refusing to pay the ransom after consulting “extensive advice we have received from cybercrime experts.”

“There is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” the statement added.

“We take seriously our responsibility to safeguard our customers. The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Medibank CEO David Koczkar said.

Medibank’s share prices have dropped 18% since the cyberattack disclosure two weeks ago, erasing $1.1 billion (USD) from the company’s market value.

Medibank states that “no unusual network activity has occurred” since the October 12, 2022, original breach.