This article is more than 1 year old
Breached health insurer won't pay ransom to protect customers, warns of more attacks
Australia's Medibank uses a government-approved Band-Aid to cover a gaping 10-milion-record wound
Australian health insurer Medibank – which spent October discovering a security incident was worse than it first thought – has announced it will not pay a ransom to attackers that made off with personal info describing nearly ten million customers.
"Based on the extensive advice we have received from cyber crime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," CEO David Koczkar stated in a stock market filing published on Monday.
"In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm's way by making Australia a bigger target," he added, before stating "This decision is consistent with the position of the Australian Government."
The update also revealed that Medibank believes "all of the customer data accessed could have been taken by the criminal" and recommends "Customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly."
Which leaves the insurer not paying a ransom so the attackers don't go after customers directly, while also warning customers they're at risk of direct attack.
Such attacks could be nasty. While credit card and banking details were not accessed, info describing medical services used by around half a million customers is out there somewhere.
"This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered," the filing states.
Names, dates of birth, addresses, phone numbers and email address for around 9.7 million current and former customers leaked, as did the same info about some of their authorized representatives.
Australia's #Medibank has been listed on the site that used to be operated by REvil. The relationship between the current operators of the site and REvil remains unclear. pic.twitter.com/rP1ZxDsBh2
— Brett Callow (@BrettCallow) November 7, 2022
Medibank also confirmed that primary identity documents, such as drivers licenses, were not accessed for most of its clients – but around 1.8 million international customers weren't so lucky and also had details of the visas that permit them to reside in Australia exposed. The Australian national health scheme (Medicare) ID numbers of 2.8 million customers were also leaked.
- Health insurer Medibank's data breach diagnosis keeps getting worse
- Health insurer's infosec incident diagnosis goes from 'take a chill pill' to emergency ward
- Optus data breach prompts pincer movement of twin regulatory probes
- Singtel confirms digital burglary at Dialog subsidiary
Enough info leaked that attackers may, at the very least, feel confident that social engineering efforts have an increased chance of success.
Medibank will continue to offer customers support, including payments to replace identity documents.
The insurer has also pledged to commission an external review "to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers."
Australian authorities continue to probe the incident, but no culprit has been identified. Nor has Medibank offered a detailed explanation of how the attackers were able to breach its defenses – beyond agreeing with a theory that compromise of legitimate users' credentials was the first step attackers undertook before they stole data. ®