Medibank says hacker accessed data of 9.7 million customers, refuses to pay ransom

(Reuters) -Medibank Private Ltd, Australia’s biggest health insurer, on Monday said no ransom payment will be made to the criminal responsible for a recent data theft, wherein around 9.7 million current and former customers’ data was compromised.

Highlighting findings of the firm’s investigation to date, Medibank confirmed that name, date of birth, address, phone number, and email addresses for around 9.7 million current and former customers were accessed in the data theft.

Cyber security issues in Australia have seen a sharp rise in recent times, with a government report suggesting there is one attack every seven minutes.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Medibank CEO David Koczkar said.

Koczkar added that paying a ransom could encourage the hacker to extort customers directly, hurting more people. The insurer reiterated that business operations remained normal during the time of the cyberattack, with customers continuing to access health services.

Medibank warned its customers must be vigilant as the criminal may leak the data online or attempt to contact customers directly.

Corporate Australia has seen a string of attacks in just the last couple of weeks, with Singapore Telecommunications’ unit Optus disclosing a breach of up to 10 million customer accounts, and Woolworths revealing that data of millions of customers using its bargain shopping website had been compromised.

Medibank said it will commission an external review to learn from the cyberattack whilst expanding its Cyber Response Support Program.

(Reporting by Roushni Nair in Bengaluru; Editing by Daniel Wallis)