Medibank, one of Australia’s largest private health insurance providers, announced it will not pay a ransom to the threat actors behind the October data breach that affected around 9.7 million customers.
In an update posted on November 8 the company said it is “aware of media reports of a purported threat from a criminal to begin publishing stolen Medibank customer data online in 24 hours.” However, Medibank announced that the company made the decision not to pay the ransom to the threat actors who stole the data.
“Based on the extensive advice we have received from cybercrime experts, we believe that there is only a limited chance paying a ransom would ensure the return of our customers’ data, and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Medibank CEO David Koczkar wrote in a post on LinkedIn.
Koczkar added that based on Medibank's investigation, the criminal would have accessed the personal details of around 5.1 million Medibank, 2.8 million ahm (Australian Health Management) and 1.8 million international current and former customers. Also at risk was health claims data for roughly 160,000 Medibank, 300,000 ahm and 20,000 international customers. Credit card and banking details or health claims data for extras services were not compromised in the data breach, the company said.
The Medibank incident is the latest in a string of data breaches affecting firms in Australia in the last few months, including Optus and Telstra, to name a few.