Two weeks after the Medibank cyber-attack, the question that remains unanswered is: will the company pay a ransom?
Medibank said it has determined through communications with the alleged hacker that data on all of the company’s 3.9 million customers has been exposed. The records include personal information like names, dates of birth, addresses, and gender identities, as well as Medicare numbers and health claims.
The hacker claimed to have extracted about 200GB of files, and has provided 1,000 records to the insurer to prove they have the data claimed.
Beyond these details, Medibank has been tight-lipped about its communications with the hacker. It has not responded to questions about whether it has or will pay a ransom to prevent the release of the data online, or the sale of the data to a third party.
Richard Buckland, a professor of cybercrime at UNSW, said the Medibank case was one of the few where a company should pay the ransom.
“This would be one of the very rare cases where I think the costs of not paying are so extraordinarily high that it would probably justify the cost of paying,” he told Guardian Australia.
“This is causing harm to innocent people who had nothing to do with the incompetence of the organisation in looking after the data. They were forced to hand that data across and that collateral damage, I think, is what makes this different.”
The official advice from the federal government Australian Cyber Security Centre is to never pay a ransom.
“There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online. You may also be targeted by another attack,” the agency stated.
But in reality, many businesses do.
Cybersecurity firm Sophos release a State of Ransomware report in April this year which found that in Australia 43% of companies paid ransoms after ransomware attacks, compared to 46% globally.
The attack on Medibank is not a ransomware attack in that Medibank’s systems are not locked up by an attacker, but the behaviour is the same in terms of negotiating over the data that was obtained.
Buckland said Medibank should seek out legal advice before making any payment. While it is not illegal for businesses to pay a ransom, businesses that do might fall afoul of other laws, such as those banning payments to a prohibited organisation – including terrorist organisations and many Russian organisations.
Generally companies should not pay ransoms, Buckland said.
“I think paying a ransom enables this market to flourish. It’s one of those cases of the tragedy of the commons, where you do something that benefits you but it slightly hurts everyone else.”
Medibank told the Australian Stock Exchange on Wednesday that the financial hit to the company would be between $25m and $35m, not including potential customer compensation or regulatory or legal costs.
The company has not indicated this would cover costs for paying out any ransom. Medibank told investors the cost would include customer communication costs, expert support and technology costs, and the cost to protect customer identities.
The company put this cost down to not having cyber insurance, which Medibank’s chief financial officer, Mark Roger, has said is due to the high cost of insurance that “went up significantly over the last couple of years”.
Roger said Medibank was not certain it would have had its costs covered even if it did have cyber insurance.
Buckland said it was a “dangerous” decision of the company not to have cyber insurance, since the insurance company would also be able to help negotiate. He suggested the high cost of insurance could be due to how “poorly secured” Australian companies are.
“It’s like flood insurance, the cost of the insurance is going up because the risk is going up.”
