Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business
political reporter Matthew Doran

Medibank CEO says ransom amount 'irrelevant' and paying up would only increase risk of further extortion

The boss of embattled insurer Medibank says the value of the ransom demand from cyber criminals was "irrelevant" in the company's decision not to negotiate with the hackers.

The company informed the ASX this morning that the personal details of around 9.7 million current and former customers had been accessed in a massive cyber attack last month.

Among the data were names, addresses, dates of birth and phone numbers. 

A smaller cohort, of almost half-a-million customers, had private health data accessed – including types of medical treatments they had claimed.

Medibank chief executive David Koczkar said the company would not pay a ransom to the cyber criminals, in an interview with the ABC's Afternoon Briefing.

"The amount of money that was demanded is actually, was irrelevant to the decision — the decision was based on the expert cybercrime advice," he said.

"Many people may think that paying extortion would guarantee the return of the data of our customers to us — you just can't trust a criminal.

"The reality is that making any payment would increase the risk of extortion for our customers, and put more Australians at risk."

Mr Koczkar refused to outline the dollar value of the ransom, and would only say the demand was made a couple of weeks ago.

"We continually, and will continue to work, with the government in particular, the Australian Federal Police who are investigating this, given it's a crime," he said.

"We stand by to support them in their investigations against the criminal, and we stand by ready to support our customers in the event that this data is released by the criminal."

Home Affairs minister Clare O'Neil said Medibank's decision was consistent with Australian government advice.

"Cyber criminals cheat, lie and steal. Paying them only fuels the ransomware business model," she said. 

"They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals."

Medibank working to contact millions of hacked customers

The chief executive confirmed work was underway to contact the millions of customers, to inform them of exactly what records had been hacked.

"All of our customers, including current and former customers, have received individual emails several times in the last three and a half weeks," Mr Koczkar said.

"We've communicated all the information we had to hand, and my commitment was always as soon as it's clear to me, it'll be clear to our customers.

"So, based on this new information, we will be a yet again communicating individually to our customers to know exactly what data has been accessed and exactly what data hasn't been accessed, so that they're informed about what data of theirs is at risk."

Is Medibank right to refuse paying ransom to its hackers?

Mr Koczkar avoided directly answering whether he expected Medibank customers to flock to other insurers, as a result of the hack.

"I will absolutely unreservedly apologise to all customers, both current and previous, who've been impacted by the cybercrime," he said.

"We will do everything we can to safeguard them and their data now and in the future.

"We will learn from this and we will implement additional changes so that we can continue to safeguard our customers in the future."

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.