Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business
Nassim Khadem and Daniel Ziffer

Medibank defends decision to not pay hackers ransom for stolen data as it contacts 480,000 customers

Medibank’s boss says the company will begin directly communicating with nearly half a million customers whose health data is believed to have been stolen, weeks after it first became aware hackers had breached its customer database.

Medibank's chief executive David Koczkar said the company had started on Wednesday communicating with about 480,000 customers whose health data was believed to have been stolen.

"We commenced this as soon as this data was verified by our team," he said.

"This ongoing work continues and requires our people to analyse millions of records across numerous applications and match customer data from multiple sources.

"And for our customers whose health data has been published on the dark web, we've prioritised those communications, advising them as quickly as we can that their health data has been published, within 48 hours of this data appearing."

Mr Koczkar received a $2.3 million bonus after shareholders accepted it at the company's annual general meeting on Wednesday.

The value Medibank shares has plummeted 18 per cent in the past month, as the costs of dealing with the cyber attack escalate and the threat of expensive class actions looms.

Medibank chairman Mike Wilkins defended the company's call to not pay a ransom to the Russian hackers who stole millions of customers' personal data.

"From the outset, Medibank has been committed to doing the right thing by our customers, our people and the community in relation to this cybercrime," he said.

"This includes our decision not to pay any ransom demand for this data theft.

"Based on extensive advice from cybercrime experts, we formed the view that there was a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published.

"In fact, the advice we have had is that to pay a ransom could have had the opposite effect and encouraged the criminal to directly extort our customers, and put more people in harm's way by making Australia a bigger target.

"It is for these reasons we could not pay."

Mr Wilkins labelled the communications of Australia's largest insurer as "transparent" as customer anger grows over its handling of the cyber attack.

"This cybercrime event is unprecedented," he said.

"It has caused distress and concern for many of our customers, our people and for you, our shareholders – many of whom I know are also customers.

"I unreservedly apologise to every person for the significant impact of this crime."

He said it was "a despicable act by the criminal seeking to extort payment".

"This is a shocking crime – the size and scale of which we have never seen before," he said.

He said the company's decision to not pay ransom was "consistent with the position of the Australian government" and that Medibank had already commissioned an external review.

That review, being undertaken by Deloitte, would "ensure that we learn from this cyber attack and continue to strengthen our ability to safeguard our customers," he told shareholders.

Medibank warns criminals may keep releasing customer data 

Mr Koczkar warned that criminals may continue to release files on the dark web.

"We share the prime minister's and the AFP's call to all media and social media platforms to protect the community by not posting or publishing this information," he said.

"While we understand the public interest, reporting details of this crime only feeds the criminal's need for notoriety."

He also defended the company's decision to not pay hackers ransom.

"The weaponising of the private data of many Australians – our customers – is malicious," he said.

"We are steadfast in our resolve to not reward this criminal behaviour, nor to strengthen a business model that is based on extortion."

"There is no doubt that rejecting the ransom demand was the right thing to do.

"While we unreservedly apologise for the impact of the release of the data we cannot, as a community, pay criminals who are likely to continue to extort us all – particularly when there is no guarantee that the criminal would ever delete the data."

Shareholders voted to return all four directors standing for election, and the remuneration report – which details the pay of executives and directors – received 94 per cent of votes in favour.

Mr Wilkins said any potential financial consequences for executives and directors would be examined ahead of the next shareholders meeting in 2023.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.