“We will not pay a ransom”: Medibank cyberattack impacts 9.7m customers

Private health insurer Medibank (ASX: MPL) has announced today it will not pay ransom for the data theft of its 9.7 million current and former customers, instead warning Australians they may be contacted by criminals or see their data published online.

Medibank shares rose 2.3 per cent following the declaration, although they are still down 18 per cent from when the issue first came to light.

The update comes more than two weeks after the company said it was contacted by a criminal regarding the stolen data, which has now been confirmed to affect roughly 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers.

International students also had their passport numbers and visa details accessed.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Medibank CEO David Koczkar said.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

“It is for these reasons we have decided we will not pay a ransom for this event.”

The attack also saw the hacker gain access health claims data for roughly 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered.

The breach also targeted the public health system, with 5,200 My Home Hospital customers in South Australia having their personal and health claims data accessed. Around 2,900 next of kin of these patients also had some contact details stolen.

Medibank, which does not have cyber insurance, estimates the breach could cost between $25 million to $35 million, excluding costs accrued in remediation or legal fees.

“We take seriously our responsibility to safeguard our customers,” Koczkar said.

“The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.

“Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers.”

The update comes three days after eco-friendly online retailer Flora & Fauna – which was acquired by BWX last year for $26 million – identified that malicious code inserted into its website may have resulted in customer credit card numbers and expiry dates being shared to an unauthorised third party.

Approximately 2,500 Flora & Fauna customers who accessed the website between 13 August 2022 and 29 September 2022 have been notified of the possibility that their credit card number and expiry date were stolen.

BWX does not anticipate a material impact on its business due to the incident, although it has been suspended from trading since August given it still has not delivered audited financial results for FY22.