Medibank hackers have threatened to release over 9.7 million customer data in 24 hours as the health insurer announced that they will not pay for the ransom demand.
The ransomware group announced its intention to release its victims’ personal data on its darkweb blog early this week. However, the post did not include data samples to back up its threat.
“This is horrendous, but not unsurprising if you look at ransomware like a business,” cyber security expert Troy Hunt said on Twitter.
“If they don’t dump the data publicly, what message does that send to future ‘customers’?”
Medibank has confirmed almost 500,000 health claims were accessed and the personal details of former and current customers were exposed when an unnamed group hacked into its system weeks ago.
The health insurer’s CEO David Koczkar said paying a ransom could make Australia “a bigger target” for data thefts by giving criminals an incentive.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” he said.
CEO Koczkar said that Medibank will be commissioning an external review to ensure that it can learn from this event while strengthening its ability to safeguard its customers.
“We take seriously our responsibility to safeguard our customers. The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” he said.
“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures.”
Medibank’s decision to not pay for the ransom is consistent with the position of the federal government, with Minister for Home Affairs Clare O’Neil stating that it was in line with government advice.
Meanwhile, two law firms, including one behind a successful case involving an Ambulance NSW data breach, say they believe Medibank betrayed customers and breached the Privacy Act by not stopping the hack.
“Medibank has a duty to keep this kind of information confidential,” Bannister Law and Centennial Law said in a statement.
“This latest data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank & ahm have failed policyholders in these circumstances.”
The law firms will investigate the terms of the contracts the medical insurance provided to customers and whether damages are appropriate.
With AAP