2 min read

Medibank refuses to pay ransom after 9.7 million health insurance customers have their data stolen

Graham CLULEY

November 07, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Medibank refuses to pay ransom after 9.7 million health insurance customers have their data stolen

Embattled Australian health insurer Medibank says that it will not pay a ransom to cyber extortionists who stolen the personal data of almost ten million customers.

Last month attackers stole the personal details (including names, addresses, dates of birth, and phone numbers) of approximately 9.7 million current and former customers.  Almost half a million customers additionally had their private health data accessed, exposing details of medical treatments that they had made insurance claims over.

Medibank had initially described the attack as being "consistent with the precursors to a ransomware event", with data stolen from its systems before a criminal gang had been had an opportunity to encrypt files across the network.

Today the firm announced on its website that no ransom payment would be made to its attackers.

According to the firm, it consulted cybercrime experts for advice on how to respond to the security breach and determined that "there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published."

Instead, the company believes that "paying could have the opposite effect and encourage the criminal to directly extort our customers."

Medibank is telling customers to "remain vigilant" as the hackers may attempt to contact them directly, or publish the data online.

It's certainly the case that paying extortionists encourages them, and other criminals, to blackmail other businesses in future.  If no-one ever paid, it's hard to imagine that ransomware would be a problem at all.

But, of course, some organisations do pay up.  And although it's easy to criticise them for making that difficult decision, it may be that they felt powerless to make any other decision because a data breach might, if significant harm is done to their reputation, pose an existential threat to their business.

Whatever a company decides regarding paying a ransom, I would encourage it to work with law enforcement agencies in the hope of gathering evidence that may one day bring the culprits to justice.

And remember this: paying the ransom does not mean that you have erased the security holes that allowed your network to be compromised in the first place. If you don’t find out what went wrong and why, and fix it, then you could easily fall victim to another attack in the future.

It's a sorry and all-too-familiar tale, but what impresses me is that Medibank does appear to be making the right noises about helping affected customers.

Not only can victims being informed by the company about what data they believe has been accessed, and provided with information about what they should do, but they are also being offered hotlines and other services to assist.

These include:

  • A cybercrime health and wellbeing line - with counsellors who have been trained to support victims of crime and issues related to sensitive health information.
  • A mental health outreach service – providing support for vulnerable customers.
  • Better Minds app – with tailored preventative health advice and resources specific to cybercrime and its impact on mental health and wellbeing, including tools for managing anxiety and fear.
  • Personal duress alarms – for customers particularly vulnerable and/or with safety risks.

Such initiatives all cost money of course.  And it's Medibank which will be paying for it.  Or rather those people who insure through Medibank are likely to find their premiums increase next year to cover the cost of handling this unexpected incident.

Unless, of course Medibank had had the foresight to take out some err... cybersecurity insurance?

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

SIM Swapper Involved in $22 Million Crypto Heist Sentenced to 18 Months in Prison SIM Swapper Involved in $22 Million Crypto Heist Sentenced to 18 Months in Prison
Vlad CONSTANTINESCU

December 05, 2022

1 min read
Hive Social Taken Offline as ‘Critical Vulnerabilities’ Could Expose Private Messages, Other Data Hive Social Taken Offline as ‘Critical Vulnerabilities’ Could Expose Private Messages, Other Data
Filip TRUȚĂ

December 05, 2022

1 min read
Malicious Actors Exploit TikTok ‘Invisible Challenge’ to Steal Users’ Info Malicious Actors Exploit TikTok ‘Invisible Challenge’ to Steal Users’ Info
Alina BÎZGĂ

December 02, 2022

2 min read