Medibank won’t pay ransom as more stolen data shows up on dark web

November 10, 2022 admin

Medibank has confirmed more customer details compromised in a recent security breach have popped up on a dark web forum, describing the illegal sale as a disgrace. The Australian health insurer is refusing to fork out any ransom payment for the data, pointing to expert advice and government guidelines.

“The weaponisation of people’s private information in an effort to extort payment is malicious and an attack on the most vulnerable members of our community,” Medibank CEO David Koczkar said in a statement Thursday. “The release of this stolen data on the dark web is disgraceful.”

The company urged the public against downloading the data, which hackers last week had threatened to begin releasing on the forum. Reports have pegged ransom demands upwards of $10 million, or $1 for each compromised customer account.

First announced last month, the security breach compromised the personal data of 9.7 million current and former customers as well as some of their authorised representatives. Amongst those impacted were 1.8 million international customers.

According to Medibank, the hackers did not access primary identity documents such as drivers’ licences for local customers, or credit card and banking information. However, they were able to access data such as names, dates of birth, addresses, phone numbers, and email addresses. Health claims data of 480,000 customers also were leaked, including locations where they had received medical services and codes linked to diagnoses and procedures administered.

Medibank on Wednesday ascertained the files had surfaced on the forum and appeared to be a sample of data that was leaked, which included passport numbers of some customers who were international students. The insurer said it expected more batches to be released and would inform customers whose data had popped up on the forum.

Koczkar said the company had no plans to pay any ransom to the hackers behind the data theft.

“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” he said Monday in a statement to the Australian Stock Exchange. “Paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

“It is for these reasons we have decided we will not pay a ransom for this event,” he said. “This decision is consistent with the position of the Australian government.”

Medibank said it was providing support to customers impacted by the breach through its Cyber Response Support Program, which included identity protection, financial measures, and mental wellbeing support.

It added that it had beefed up existing monitoring of its network, adding detection, analytics, and forensics capabilities across its systems. It noted that it was required by law to retain some customer information for at least seven years from when the customer leaves.

Meanwhile, Australia’s proposed legislation to increase financial penalties for data privacy violators was passed Wednesday. It pushes up maximum fines for serious or repeated breaches to AU$50 million ($32.34 million), from its current AU$2.22 million, or three times the value of any benefit obtained through the data misuse, or 30% of the company’s adjusted turnover in the relevant period, whichever is greater.

The Bill also empowers the Australian Information Commissioner to resolve privacy breaches and more quickly share information about data breaches.