Medibank refuses to pay ransom after 9.7 million health insurance customers have their data stolen

Embattled Australian health insurer Medibank says that it will not pay a ransom to cyber extortionists who stolen the personal data of almost ten million customers.

Last month attackers stole the personal details (including names, addresses, dates of birth, and phone numbers) of approximately 9.7 million current and former customers.  Almost half a million customers additionally had their private health data accessed, exposing details of medical treatments that they had made insurance claims over.

Medibank had initially described the attack as being "consistent with the precursors to a ransomware event", with data stolen from its systems before a criminal gang had been had an opportunity to encrypt files across the network.

Today the firm announced on its website that no ransom payment would be made to its attackers.

According to the firm, it consulted cybercrime experts for advice on how to respond to the security breach and determined that "there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published."

Instead, the company believes that "paying could have the opposite effect and encourage the criminal to directly extort our customers."

Medibank is telling customers to "remain vigilant" as the hackers may attempt to contact them directly, or publish the data online.

It's certainly the case that paying extortionists encourages them, and other criminals, to blackmail other businesses in future.  If no-one ever paid, it's hard to imagine that ransomware would be a problem at all.

But, of course, some organisations do pay up.  And although it's easy to criticise them for making that difficult decision, it may be that they felt powerless to make any other decision because a data breach might, if significant harm is done to their reputation, pose an existential threat to their business.

Whatever a company decides regarding paying a ransom, I would encourage it to work with law enforcement agencies in the hope of gathering evidence that may one day bring the culprits to justice.

And remember this: paying the ransom does not mean that you have erased the security holes that allowed your network to be compromised in the first place. If you don’t find out what went wrong and why, and fix it, then you could easily fall victim to another attack in the future.

It's a sorry and all-too-familiar tale, but what impresses me is that Medibank does appear to be making the right noises about helping affected customers.

Not only can victims being informed by the company about what data they believe has been accessed, and provided with information about what they should do, but they are also being offered hotlines and other services to assist.

These include:

• A cybercrime health and wellbeing line - with counsellors who have been trained to support victims of crime and issues related to sensitive health information.
• A mental health outreach service – providing support for vulnerable customers.
• Better Minds app – with tailored preventative health advice and resources specific to cybercrime and its impact on mental health and wellbeing, including tools for managing anxiety and fear.
• Personal duress alarms – for customers particularly vulnerable and/or with safety risks.

Such initiatives all cost money of course.  And it's Medibank which will be paying for it.  Or rather those people who insure through Medibank are likely to find their premiums increase next year to cover the cost of handling this unexpected incident.

Unless, of course Medibank had had the foresight to take out some err... cybersecurity insurance?