Medibank CEO says no ransom for suspected Russian hackers

Things are starting to look grim for Australian health insurer Medibank after the company's chief executive officer confirmed that no ransom would be paid to the hackers who stole the information of 9.7 million individuals from the company.

The dark web hackers originally asked for $10 million USD in exchange for the data they stole, but joked online that they could discount the price to $9.7 million USD. One dollar for every individual affected. But how did Medibank get into this situation?

On October 12th, the Australian health insurance firm Medibank first confirmed that it had been the target of a malicious cybersecurity incident. 

Unusual activity consistent with a ransomware attack was detected on Medibank’s network but the public was reassured by company officials that there was no evidence sensitive customer information had been stolen. 

Although the company claimed that no sensitive data was leaked, many of Medibank’s key services and functions were shut down as a precautionary measure.

Early reports from the company mentioned that the hackers gained access to their system's Australian Health Managment Group information as well as its international student customer data and a significant amount of health data from other Australian customers. 

While gaining access didn’t necessarily mean the information had been stolen, Medibank CEO David Koczkar warned that the company expected the number of affected customers to grow substantially and that an investigation had already been launched to discover the true extent of the hack. 

Photo: Medibank Newsroom

Shortly after the announcement of the hack, Medibank representatives quoted the number of affected customers had risen to about 4 million people and there was possibly still an unaccounted number of former clients that were also affected. 

"Our investigation has now established that this criminal has accessed all our private health insurance customers' personal data and significant amounts of their health claims data," CEO David Koczkar said in a statement. 

"I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community." Koczkar said in a statement to the public. 

Medibank worked quickly work to end its security breach, but the company announced that it had been contacted by the hackers. They claimed to have 200GB of stolen data in their possession. 

"We are working around the clock to understand the full nature of the incident," Koczkar said in a statement to the public, "and any additional impact this incident may have on our customers, our people and our broader ecosystem." 

On October 26 Medibank's shares plummeted and 1.75 was wiped off the market value of the company when Medibank announced that it couldn’t give its assurance that the hackers who had accessed the records of its customers had actually left the company’s systems. 

Shortly after Medibank’s stock plummeted it became clear that the hackers had gained access to the information of every Medibank customer. Customers' names, addresses, dates of birth, gender, email addresses, medical card numbers, and health claims were all affected. 

The hackers were looking to ransom back the stolen information to Medibank and the company has been tight-lipped about the situation ever since, though some onlookers have called for Medibank to pay the ransom. 

Richard Buckland, a professor of cybercrime at the University of New South Wales said that Medibank should pay the ransom. 

In an interview with the Guardian Australia, Buckland stated, “This would be one of the very rare cases where I think the costs of not paying are so extraordinarily high that it would probably justify the cost of paying.” 

While the situation is still ongoing, the hack is not a total surprise to Australians. Cybercrime in Australia is on the rise. 

The Medibank hack was the latest in a string of similar cyber incidents that have rocked the country, including the recent Optus incident that saw Australia’s second-largest telecom provider targeted in late September 2022. 

A joint task force of over 100 officers from the Australian Federal Police and the Australian Defence Force has been assembled to track down the identities of hackers and bring them to justice.