Medibank says it will not pay any cyberattack ransom

Latest News

Medibank says it will not pay any ransom related to the recent cyberattack that saw the theft of personal data for the company's almost 10 million current and former customers.

CEO David Koczkar said the company unreservedly apologises and recognises the distress the incident has caused.

He also confirmed that no ransom will be paid.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published," said Mr Koczkar.

"In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.

“It is for these reasons we have decided we will not pay a ransom for this event,” he said.

The company said that based on its investigation to date, the perpetrators of the attack have accessed the name, date of birth, address, phone number and email address of around 9.7 million current and former customers.

They did not access primary identity documents, such as driver's licenses, because the company does not collect that information. However, they did access Medicare numbers (but not expiry dates) for ahm customers, passport numbers and visa details for international student customers, and health claims data for around 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers.

"Given the nature of this crime, we now believe that all of the customer data accessed could have been taken by the criminal," said the company

“We take seriously our responsibility to safeguard our customers. The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” continued Mr Koczkar.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and well-being support, identity protection and financial hardship measures.

“Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers,” he said.