Medibank says it won't pay a ransom despite threats to leak data

(Image credit: Pixabay)

One of Australia’s biggest health insurers, Medibank, has said it won’t be paying up in order to get its data back following a recent ransomware attack.

The decision was confirmed by the company’s CEO, David Koczkar, via LinkedIn, following a somewhat longer post on the platform earlier this week where he to Medibank customers for any problems caused by the attack, but said paying the ransom demand might make things even worse. 

“Based on the extensive advice we have received from cybercrime experts, we believe that there is only a limited chance paying a ransom would ensure the return of our customers’ data, and prevent it from being published,” he said. “In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

Opposite effect

According to Koczkar, the ransomware attack that took place in late October 2022, and allowed the threat actors to access personal details of around 5.1 million Medibank, 2.8 million ahm, and 1.8 million international current and former customers, and health claims data for around 160,000 Medibank, 300,000 ahm, and 20,000 international customers. 

“The criminal did not access credit card and banking details or health claims data for extras services,” the CEO confirmed.

He further warned the customers to stay vigilant, as the cybercriminals could now try and use the newly accessed data for secondary attacks. Crooks could reach out to customers directly and try to use the knowledge to scam them into giving away payment data, or similar. They could also use the personally identifiable information in identity theft attacks. 

To tackle the problem of ransomware, Medibank says it is expanding its Cyber Response Support Program to now include a cybercrime health & wellbeing line, proactive support for vulnerable customers, tailored preventative health advice and resources specific to cybercrime and personal duress alarms for vulnerable customers, the CEO concluded. 

The Australian Government, the Australian Cyber Security Centre, and the Australian Federal Police, have been notified and are currently investigating the matter. 

Via: InfoSecurity Magazine

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.