Medibank Private Ltd (ASX:MPL)’s board adhered to its no ransom decision at the company's Annual General Meeting (AGM) held this morning, throwing a spanner in the hacker’s hopes of receiving US$9.7 million in ransom for the stolen data.
The hackers had paused their malicious daily drip of sensitive data, hoping “something meaningful” may happen in their favour at the AGM.
Medibank's cyber-attack compromised the data of 9.7 million current and former customers, which includes Medibank, ahm and international student customers' data.
The most serious breach was for around 500,000 customers who have had private health information stolen, including health claims and personal information.
Following ransom demands from the hacker, the company announced last Tuesday that no ransom would be paid to the perpetrator of the data theft.
Subsequently, the hackers began a daily drip of sensitive information from Medibank’s leaked databases, pausing only yesterday, ahead of the AGM.
Medibank chair Mike Wilkins starts the AGM by saying the cyberattack is "unprecedented". It's a "shocking crime", the size and scale of which has not been seen before.He also unreservedly apologises to customers.
— Josh Taylor (@joshgnosis) November 15, 2022
Based on expert advice
Addressing the shareholders, Medibank chairman Mike Wilkins said: “Based on extensive advice from cybercrime experts, we formed the view that there was a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published.
“In fact, the advice we have had is that to pay a ransom could have had the opposite effect and encouraged the criminal to directly extort our customers and put more people in harm's way by making Australia a bigger target.
“It is for these reasons we could not pay.
“This decision is consistent with the position of the Australian Government.”
What happened?
Australian insurance provider Medibank Private detected unusual activity on its networks on October 12, 2022, which is now confirmed to be a major cyber incident by the company.
It took nearly a fortnight for the company to confirm the severity of the attacks, which includes a brief period where the company resumed 'normal operations', brushing off the gravity of the attack.
Following ransom demands from the hacker, the company announced last Tuesday that no ransom would be paid. Subsequently, the hackers had given Medibank an ultimatum of 24 hours to pay the ransom.
In the early hours of Wednesday, the hackers leaked their first dump of customer data, threatening to leak further data if their demands were not met.
On Thursday, the hackers leaked sensitive data containing abortion-related information about Medibank customers.
The data dumps continued on Friday as well, where the hackers released the third dump of sensitive data, including information on people’s mental health status and drug and alcohol use.
These leaks continued on to Monday when the hackers leaked a new data dump, comprising hundreds of insurance claims which could be attributed to mental health treatments.
The hackers also revealed that they would pause the daily leaks till Friday, hoping “something meaningful” may happen at the company’s annual general meeting.
What should one do?
Medibank said that it would inform the customers of the nature of the data leak and customers who were directly affected would be notified and provided with guidance on what to do.
The company has initiated a cyber response support program, which includes mental health and wellbeing support, identity protection and financial hardship measures.
- The company adds that customers should be vigilant with all online communications and transactions including:
- being alert for any phishing scams via phone, post or email;
- verifying any communications received to ensure they are legitimate;
- not opening texts from unknown or suspicious numbers; and
- changing passwords regularly with ‘strong’ passwords, not re-using passwords and activating multi-factor authentications on any online accounts where available.