November 7, 2022

Medibank Private Ltd, Australia’s largest health insurer, has said it will not pay a ransom to the alleged hacker who stole data from 9.7 million of its customers, citing the low probability that the payment would prevent the data from being released online.

David Koczkar said the company’s advice and the Australian government’s position was not to pay a ransom.

“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” he said.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target. It is for these reasons we have decided we will not pay a ransom for this event.”

Last month, the health insurance company revealed that a hacker with compromised high-level credentials had accessed the personal information of up to four million customers, including foreign students.

The company said it was in contact with the alleged attacker to determine the extent of the data obtained, and from there the rumors began that Medibank could pay a ransom to prevent the data from being published online.

Highlighting the findings of the investigation so far, Medibank confirmed that the data theft accessed the names, dates of birth, addresses, phone numbers and email addresses of around 9.7 million current and former customers and that their customers must be cautious as the criminal may disclose the information online or attempt to contact customers directly.

The sources for this piece include an article in Reuters.