“We will not pay a ransom”: Medibank cyberattack impacts 9.7m customers

“We will not pay a ransom”: Medibank cyberattack impacts 9.7m customers

Private health insurer Medibank (ASX: MPL) has announced today it will not pay ransom for the data theft of its 9.7 million current and former customers, instead warning Australians they may be contacted by criminals or see their data published online.

Medibank shares rose 2.3 per cent following the declaration, although they are still down 18 per cent from when the issue first came to light.

The update comes more than two weeks after the company said it was contacted by a criminal regarding the stolen data, which has now been confirmed to affect roughly 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers.

International students also had their passport numbers and visa details accessed.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Medibank CEO David Koczkar said.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

“It is for these reasons we have decided we will not pay a ransom for this event.”

The attack also saw the hacker gain access health claims data for roughly 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered.

The breach also targeted the public health system, with 5,200 My Home Hospital customers in South Australia having their personal and health claims data accessed. Around 2,900 next of kin of these patients also had some contact details stolen.

Medibank, which does not have cyber insurance, estimates the breach could cost between $25 million to $35 million, excluding costs accrued in remediation or legal fees.

“We take seriously our responsibility to safeguard our customers,” Koczkar said.

“The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.

“Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers.”

The update comes three days after eco-friendly online retailer Flora & Fauna – which was acquired by BWX last year for $26 million – identified that malicious code inserted into its website may have resulted in customer credit card numbers and expiry dates being shared to an unauthorised third party.

Approximately 2,500 Flora & Fauna customers who accessed the website between 13 August 2022 and 29 September 2022 have been notified of the possibility that their credit card number and expiry date were stolen.

BWX does not anticipate a material impact on its business due to the incident, although it has been suspended from trading since August given it still has not delivered audited financial results for FY22.

Enjoyed this article?

Don't miss out on the knowledge and insights to be gained from our daily news and features.

Subscribe today to unlock unlimited access to in-depth business coverage, expert analysis, and exclusive content across all devices.

Support independent journalism and stay informed with stories that matter to you.

Subscribe now and get 50% off your first year!

AI-driven Evitat platform creates pathway to a more sustainable building and renovation industry
Partner Content
Evitat, an AI-driven data platform, is empowering design and build professionals in the...
Evitat
Advertisement

Related Stories

Top Gear's James May joins forces with Gold Coast distillery Wildflower Gin

Top Gear's James May joins forces with Gold Coast distillery Wildflower Gin

Gold Coast-headquartered, award-winning distillery Wildflower Gin w...

SEEK hit by $141m impairment for Chinese jobs site Zhaopin

SEEK hit by $141m impairment for Chinese jobs site Zhaopin

Online employment marketplace SEEK (ASX: SEK) has taken a hit from ...

"End of an era": me&u founder Stevan Premutico steps down from board

"End of an era": me&u founder Stevan Premutico steps down from board

Stevan Premutico, a pioneer in QR code restaurant ordering and digi...

ANZ is embroiled in allegations it manipulated government bond sales – what exactly does that mean?

ANZ is embroiled in allegations it manipulated government bond sales – what exactly does that mean?

ANZ is being investigated by the Australian Securities and Investme...