Medibank defends decision to not pay hackers ransom for stolen data as it contacts 480,000 customers - ABC News

Medibank defends decision to not pay hackers ransom for stolen data as it contacts 480,000 customers
By Nassim Khadem and Daniel Ziffer
Posted Tue 15 Nov 2022 at 11:54pmTuesday 15 Nov 2022 at 11:54pm, updated Wed 16 Nov 2022 at 11:09pmWednesday 16 Nov 2022 at 11:09pm
On left people walk past the medibank logo on a wall, on right hands rest on a keyboard showing code.
Medibank faced an "unprecedented cyber attack" that led to millions of customers having their personal information stolen.(AAP: Stefan Postles; Canva)
Help keep family & friends informed by sharing this article

COPY LINK
SHARE
Medibank’s boss says the company will begin directly communicating with nearly half a million customers whose health data is believed to have been stolen, weeks after it first became aware hackers had breached its customer database.

Medibank's chief executive David Koczkar said the company had started on Wednesday communicating with about 480,000 customers whose health data was believed to have been stolen.

"We commenced this as soon as this data was verified by our team," he said.

"This ongoing work continues and requires our people to analyse millions of records across numerous applications and match customer data from multiple sources.

"And for our customers whose health data has been published on the dark web, we've prioritised those communications, advising them as quickly as we can that their health data has been published, within 48 hours of this data appearing."

'You just can't trust a criminal': Medibank CEO on decision to not pay ransom
Medibank's chief executive David Koczkar said the company had started communicating with about 480,000 customers.
Mr Koczkar received a $2.3 million bonus after shareholders accepted it at the company's annual general meeting on Wednesday.

The value Medibank shares has plummeted 18 per cent in the past month, as the costs of dealing with the cyber attack escalate and the threat of expensive class actions looms.

Medibank chairman Mike Wilkins defended the company's call to not pay a ransom to the Russian hackers who stole millions of customers' personal data.

"From the outset, Medibank has been committed to doing the right thing by our customers, our people and the community in relation to this cybercrime," he said.

"This includes our decision not to pay any ransom demand for this data theft.

"Based on extensive advice from cybercrime experts, we formed the view that there was a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published.

AMP's acting CEO Mike Wilkins appears at the banking royal commission on November 27, 2018.
Mike Wilkins defended the company's decision and says there will be review of went wrong.(Supplied: Royal Commission)
"In fact, the advice we have had is that to pay a ransom could have had the opposite effect and encouraged the criminal to directly extort our customers, and put more people in harm's way by making Australia a bigger target.

"It is for these reasons we could not pay."

Mr Wilkins labelled the communications of Australia's largest insurer as "transparent" as customer anger grows over its handling of the cyber attack.

"This cybercrime event is unprecedented," he said.

"It has caused distress and concern for many of our customers, our people and for you, our shareholders – many of whom I know are also customers.

"I unreservedly apologise to every person for the significant impact of this crime."

He said it was "a despicable act by the criminal seeking to extort payment".

"This is a shocking crime – the size and scale of which we have never seen before," he said.

He said the company's decision to not pay ransom was "consistent with the position of the Australian government" and that Medibank had already commissioned an external review.

That review, being undertaken by Deloitte, would "ensure that we learn from this cyber attack and continue to strengthen our ability to safeguard our customers," he told shareholders.

Medibank warns criminals may keep releasing customer data
Mr Koczkar warned that criminals may continue to release files on the dark web.

"We share the prime minister's and the AFP's call to all media and social media platforms to protect the community by not posting or publishing this information," he said.

"While we understand the public interest, reporting details of this crime only feeds the criminal's need for notoriety."

He also defended the company's decision to not pay hackers ransom.

"The weaponising of the private data of many Australians – our customers – is malicious," he said.

"We are steadfast in our resolve to not reward this criminal behaviour, nor to strengthen a business model that is based on extortion."

"There is no doubt that rejecting the ransom demand was the right thing to do.

"While we unreservedly apologise for the impact of the release of the data we cannot, as a community, pay criminals who are likely to continue to extort us all – particularly when there is no guarantee that the criminal would ever delete the data."

Shareholders voted to return all four directors standing for election, and the remuneration report – which details the pay of executives and directors – received 94 per cent of votes in favour.

Mr Wilkins said any potential financial consequences for executives and directors would be examined ahead of the next shareholders meeting in 2023.