Australian health insurance provider Medibank has announced it won’t be paying the ransom to the criminal(s) who stole data of 9.7 million of its current and former customers.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” the company said.
The fact that the criminal didn’t succeed in deploying ransomware on the company’s IT systems and encrypting the data after stealing it was surely a factor in Medibank’s decision to withold the ransom.
The curent tally of potentially compromised data
The attacker was able to access data of current and former Medibank, ahm, and international customers. More specifically:
- Name, date of birth, address, phone number and email address for around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers
- Medicare numbers (but not expiry dates) for ahm customers
- Passport numbers (but not expiry dates) and visa details for international student customers
- Health claims data – service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered – for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers
- Personal and health claims data of around 5,200 My Home Hospital (MHH) patients, and some contact details of around 2,900 next of kin of these patients
- Health provider details, including names, provider numbers and addresses
The attacker did not compromise credit card and banking details, identity documents of Medibank and ahm resident customers, and health claims data for extras services.
The Cloud Consultancy provision, setup and manage SME Cyber Security services to protect your business. Whatever your business, however big or small it is, you will receive phishing attacks at some point. Think about how you will help your staff understand the threat and how to spot phishing. As with other advice, give them the tools to defend against it in their personal lives and they will bring that behaviour back to work. There are other important steps which mitigate the impact when the phishing succeeds. You will never stop it all. DO NOT BLAME staff when they get it wrong – they are only human.
Protecting customers
While there is no guarantee that direct customer extortion or an online data leak won’t happen, a few days after the initial revelation of the breach Medibank started setting up support services for affected customers, and announced they will be offering financial, mental health, identity protection and monitoring help, and reimbursement of fees for re-issue of identity documents that have been fully compromised.
They’ve added to that a cybercrime health & wellbeing line, a mental health outreach service, a mental health advice app, and even personal duress alarms for customers that are particularly vulnerable and/or with safety risks.
“Customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly,” the company said, and advised them to be wary of phishing and scam attempts exploiting the situation.
Source: HelpNetSecurity By: Zeljka Zorz