Key Points
- Medibank says it won't pay a ransom demand for last month's cyber attack on its business.
- The breach exposed the personal data of around 9.7 million current and former customers.
Medibank says it won't pay a ransom demand for last month's cyber attack on its business that exposed the personal data of around 9.7 million current and former customers.
Medibank chief executive David Koczkar said on Monday there is "only a limited chance" that paying the ransom would result in the hacker giving back or preventing it from being published.
"In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm's way by making Australia a bigger target," he said in a statement.
"It is for these reasons we have decided we will not pay a ransom for this event."
Who was affected by the hack and what information was exposed?
The private health insurer said the personal data of around 5.1 million Medibank customers, 2.8 million ahm customers, 1.8 million international customers and some of their authorised representatives were exposed in the hack.
All current and former customers' names, dates of birth, addresses, phone numbers and email addresses were accessed.
The Medicare numbers of ahm customers, and the passport numbers and visa details of international student customers, were exposed as well.
Also accessed in the hack were the health claims of around 160,000 Medibank customers, 300,000 ahm customers, and 20,000 international customers.
Some personal and health claims data from around 5,200 My Home Hospital (MHH) patients were exposed, along with some contact details from around 2,900 of those patients' next of kin.
The information stolen by the hacker doesn't include primary identity documents, like drivers' licences, for Australian Medibank or ahm customers, or any credit card or banking details.
Health claims data for extras services like dental, optical, and psychology also weren't accessed.
What's being done with the data?
Medibank warned customers to , as the hacker may publish their personal data online, or attempt to contact them directly.
"We take seriously our responsibility to safeguard our customers. The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community," Mr Koczkar said.
He said Medibank, which is continuing to work with the federal government, the Australian Cyber Security Centre and the Australian Federal Police, would commission an external review to learn from the attack and strengthen its digital defences.
"We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures,"Mr Koczkar said.
What is the government doing to help?
Cyber Security Minister Clare O'Neil said Medibank's decision not to pay a ransom to cyber criminals was "consistent with Australian government advice".
"Cyber criminals cheat, lie and steal. Paying them only fuels the ransomware business model," she said in a statement on Monday.
Ms O'Neil said the government was "stepping up on cyber security" through a global ransomware initiative to be led by Australia and a new strategy to counter cyber threats.
"Unlike the last government, we see and recognise the urgent need to address the conditions that have allowed the two largest cyber attacks in our history to occur within the space of two months," she added.
The cyber attack on Medibank came just weeks after , affecting millions of the telco's customers.
Other recent hacks have involved real estate company , the , and online shopping site .
The federal government announced last month that companies that experience serious or repeated privacy breaches would face
"Governments, businesses and other organisations have an obligation to protect Australians' personal data, not to treat it as a commercial asset. The law must reflect this," Attorney-General Mark Dreyfus said when he introduced the bill to parliament.
"Penalties for privacy breaches cannot be seen as simply the cost of doing business.
"Entities must be incentivised to have strong cyber and data security safeguards in place to protect Australians."
A review of the Privacy Act will also be completed by the end of this year, with recommendations to be handed down for further reforms.