The beleaguered Australian health insurer Medibank says it will not pay a ransom to cyber extortionists who stole the personal data of about 10 million customers.
Last month, attackers stole the personal information (names, addresses, dates of birth, phone numbers, etc.) of approximately 9.7 million current and former customers. In addition, nearly half a million customers have accessed their personal health data and published treatment details for which they have filed claims.
Medibank initially described the attack as “consistent with precursors to a ransomware event” and that data was stolen from systems before criminal gangs had a chance to encrypt files on the network.
the company today Announced on website No ransom is paid to the attacker.
The company said it consulted cybercrime experts on how to respond to a security breach and determined that “paying the ransom will ensure that the customer’s data is returned and is unlikely to be prevented from being made public.” It is said that
Instead, the company believes that “paying can have the opposite effect and encourage criminals to directly extort customers.”
Medibank is telling customers to “keep vigilant” as hackers may attempt to contact them directly or expose their data online.
Indeed, extortionists who pay money inspire them and other criminals to blackmail other companies in the future. Ransomware is unlikely to be a problem if no one pays.
Of course, some organizations do pay. While it’s easy to criticize them for making that difficult decision, other companies are likely to face an existential threat to their business if a data breach seriously damages their reputation. He may have felt powerless to make the decision.
Whatever decision the company makes about paying the ransom, we recommend working with law enforcement in hopes of gathering evidence to bring the perpetrators to justice.
Paying the ransom does not remove the security hole that allowed the network to be compromised in the first place. If you don’t figure out why and fix what went wrong, you could fall victim to another attack in the future.
Sorry if it sounds too familiar, but what impressed me is that Medibank seems to be making the right noise about helping affected customers.
Victims are not only notified by the company of the data they believe has been accessed and provided with information on what to do, but are also provided with a hotline and other services to help.
- The Cybercrime Health and Well-Being Line – has counselors trained to support crime victims and issues related to confidential health information.
- Mental Health Outreach Services – Provide support to vulnerable customers.
- Better Minds App – Features preventative health advice and resources dedicated to cybercrime and its impact on mental health and well-being, including tools for managing anxiety and fear.
- Personal duress alarm – for customers who are particularly vulnerable and/or have security risks.
Of course, all such initiatives come at a cost. And Medibank will pay for it. Rather, those who take out insurance through Medibank are likely to see their premiums increase next year to cover the costs of dealing with this unforeseen event.
Unless, of course, Medibank had the foresight to do something wrong… cybersecurity insurance?