IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Medibank admits ransomware attack is far worse than previously thought

The company now believes around 9.7 million past and present customers have been affected by the attack, and has said it is refusing to pay the ransom

A close up of a digital display showing the Medibank logo partially obscured by red and blue balloons

Medibank has revealed that 9.7 million current and former customers have been affected by a cyber attack on the company's systems in October, with those affected being substantially higher than previously thought.

The company, one of Australia’s largest health insurance providers, disclosed on 19 October that it had been hit by a cyber attack and was negotiating with the attackers. A week later, Medibank said the attacker had access to all of its 3.9 million customer data and hinted that the number of affected customers in the attack could grow substantially.

Related Resource

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Whitepaper cover with title and sunken IBM logo lifting out of a flat grey surfaceFree Download

Following an investigation, the company has now revealed the attacker gained access to the data of 9.7 million current and former customers. It said that it’s required by law to retain certain customer information, including former customers, for particular periods of time, generally for seven years from when a customer leaves the company, but sometimes longer.

The 9.7 million figure represents around 5.1 million Medibank customers, 2.8 million customers belonging to Medibank subsidiary Ahm, and around 1.8 million international customers. The attacker also accessed Medicare numbers for Ahm customers, and passport numbers and visa details for international student customers.

Health claims data for around 160,000 Medibank customers were also accessed, as well as those belonging to 300,000 Ahm customers, and 20,000 international customers. This included service provider name and location, the location where customers received medical services, and codes associated with diagnosis and procedures administered.

The company also has decided that it will not make a ransom payment to the attacker responsible for the data theft. It said this decision is consistent with the position of the Australian government.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” said Medibank CEO David Koczkar.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

The company added that it believes that all of the customer data accessed could have been taken by the hackers. It advised customers to remain vigilant as the attackers could publish the data online or attempt to contact customers directly.

Medibank added that its business operations weren’t affected during the cyber attack and that it hasn’t detected any more suspicious activity inside its systems since 12 October 2022. It has also boosted its existing monitoring capabilities, added further detection and forensics capabilities, and scaled up analytical support through third parties.

This comes as the Australian government is looking to introduce tougher penalties for serious privacy breaches after the country has been exposed to a number of cyber attacks recently.

In October 2022, the attorney general said the maximum penalty will rise from $2.22 million (£1.2 million). Companies will be fined a new maximum of whatever is greater of three potential numbers: 30% of a company's adjusted turnover in the relevant period, three times the value of any benefit obtained through the misuse of information, or $50 million (£27 million).

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

Japan considers creating new cyber defence agency as attacks ramp up in region
cyber attacks

Japan considers creating new cyber defence agency as attacks ramp up in region

24 Nov 2022
UK follows EU in securing data deal with South Korea
Policy & legislation

UK follows EU in securing data deal with South Korea

23 Nov 2022
Inside Singapore’s mission to infuse itself with technology
digital transformation

Inside Singapore’s mission to infuse itself with technology

23 Nov 2022
India’s new data protection bill continues to “facilitate state surveillance”
Policy & legislation

India’s new data protection bill continues to “facilitate state surveillance”

21 Nov 2022

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022