gadgets Technology Reviews

Medibank cyber-attack: should the health insurer pay a ransom for its customers’ data

Medibank cyber-attack: should the health insurer pay a ransom for its customers’ data?

Speculation is rife about whether the insurer will pay a hacker who claims to have extracted 200GB of files

  • Get our morning and afternoon news emails, free app or daily news podcast
A Medibank branch in

Two weeks after the Medibank cyber-attack, the question that remains unanswered is: will the company pay a ransom?

Medibank said it has determined through communications with the alleged hacker that data on all of the company’s 3.9 million customers has been exposed. The records include personal information like names, dates of birth, addresses, and gender identities, as well as Medicare numbers and health claims.

The hacker claimed to have extracted about 200GB of files, and has provided 1,000 records to the insurer to prove they have the data claimed.

I am a Medibank customer. Am I affected by the cyber-attack? What can I do to protect myself?

Read more

Beyond these details, Medibank has been tight-lipped about its communications with the hacker. It has not responded to questions about whether it has or will pay a ransom to prevent the release of the data online, or the sale of the data to a third party.

Richard Buckland, a professor of cybercrime at UNSW, said the Medibank case was one of the few where a company should pay the ransom.

  • Sign up for our free morning newsletter and afternoon email to get your daily news roundup

“This would be one of the very rare cases where I think the costs of not paying are so extraordinarily high that it would probably justify the cost of paying,” he told Guardian Australia.

“This is causing harm to innocent people who had nothing to do with the incompetence of the organisation in looking after the data. They were forced to hand that data across and that collateral damage, I think, is what makes this different.”

The official advice from the federal government Australian Cyber Security Centre is to never pay a ransom.

“There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online. You may also be targeted by another attack,” the agency stated.

But in reality, many businesses do.

Cybersecurity firm Sophos release a State of Ransomware report in April this year which found that in Australia 43% of companies paid ransoms after ransomware attacks, compared to 46% globally.

The attack on Medibank is not a ransomware attack in that Medibank’s systems are not locked up by an attacker, but the behaviour is the same in terms of negotiating over the data that was obtained.

Buckland said Medibank should seek out legal advice before making any payment. While it is not illegal for businesses to pay a ransom, businesses that do might fall afoul of other laws, such as those banning payments to a prohibited organisation – including terrorist organisations and many Russian organisations.

Generally companies should not pay ransoms, Buckland said.

“I think paying a ransom enables this market to flourish. It’s one of those cases of the tragedy of the commons, where you do something that benefits you but it slightly hurts everyone else.”

Medibank confirms hacker had access to data of all 3.9 million customers

Read more

Medibank told the Australian Stock Exchange on Wednesday that the financial hit to the company would be between $25m and $35m, not including potential customer compensation or regulatory or legal costs.

Australian companies to face fines of $50m for data breaches

Read more

The company has not indicated this would cover costs for paying out any ransom. Medibank told investors the cost would include customer communication costs, expert support and technology costs, and the cost to protect customer identities.

The company put this cost down to not having cyber insurance, which Medibank’s chief financial officer, Roger, has said is due to the high cost of insurance that “went up significantly over the last couple of years”.

Roger said Medibank was not certain it would have had its costs covered even if it did have cyber insurance.

Buckland said it was a “dangerous” decision of the company not to have cyber insurance, since the insurance company would also be able to help negotiate. He suggested the high cost of insurance could be due to how “poorly secured” Australian companies are.

“It’s like flood insurance, the cost of the insurance is going up because the risk is going up.”


  • Health
  • Cybercrime
  • features
Reuse this content