Key Points
- Medibank will not pay a ransom demand despite hackers threatening to release customers' stolen personal data.
- The government has supported Medibank's decision, saying paying up would fuel "the ransomware business model".
- But opinion on whether or not to pay a ransom is divided among experts.
Just weeks after the Medibank cyber attack was revealed to be , the data breach has taken another concerning turn.
Hackers behind the attack are now threatening to release the data of millions of current and former customers unless Australia's largest private health insurer pays a ransom.
Medibank has refused to pay up and the federal government is backing its decision. But are there any situations in which a ransom should be paid? Here's what experts think.
The ransom demand
On Tuesday, it emerged the Medibank hackers .
That includes the personal data of 9.7 million current and former customers, including names, dates of birth, and email addresses, according to Medibank.
Medicare numbers of the private health insurer's budget subsidiary, ahm, have also been exposed, as well as the passport details and visa numbers of international student customers.
About 480,000 Medibank, ahm, and international student customers also had their health claims data accessed.
No credit card or banking details were accessed.
It's unknown when the hacker made the ransom demand and how much they have requested, but Medibank on Monday .
Medibank chief executive David Koczkar said there was "only a limited chance" that paying the ransom would result in the hacker giving back or preventing it from being published.
To pay or not to pay?
Medibank's refusal to hand over the ransom money is in line with the federal government's recommendations.
Home Affairs Minister Clare O'Neil said on Monday the payment of ransoms "undermines" her goal for "Australia to be the most cyber-safe country in the world."
"Medibank’s decision is consistent with Australian government advice. Cyber criminals cheat, lie and steal. Paying them only fuels the ransomware business model. They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals," Ms O'Neil said.
Toby Murray is an associate professor of cybersecurity at the University of Melbourne. He's also a Medibank customer who's been caught up in the data breach.
Opinion on the payment of ransoms is divided among experts, according to Dr Murray. He said some believe it may be appropriate to do so if they believe the hacker is "acting rationally".
"There are certainly ransomware gangs or criminal groups who regularly engage in this ... and develop a reputation," Dr Murray said.
"And so I think, for instance, if you have been attacked by ... a ransomware gang, who is well-known and who has a reputation for keeping their word once the ransom has been paid, then it may be worth considering that, yes, they will actually keep their word and therefore, there may be an argument for paying up."
However, he stressed that there are downsides to paying a ransom, such as perpetuating the ransomware business model, and said that Medibank may have information that suggests the hackers are not rational actors.
Whether to give in to the hackers' demands can also be situation dependent, said Chad Whelan, a professor of criminology at Deakin University.
He pointed to last year's ransomware attack on the Colonial petroleum pipeline, which runs from the US Gulf Coast to the US East Coast. The attack prevented the company from billing customers and forced them to halt the flow of fuel. It wasn't until after the FBI helped facilitate a ransom payment of 75 bitcoin (about US$4.4 million at the time) that the hackers provided a tool to unlock the billing infrastructure.
"There have been circumstances where victims of ransomware attacks have found themselves in a situation where they've had no choice but to pay the ransom, and that's typically associated with getting systems and infrastructure back online," he said.
But when it comes to data, paying a ransom would "likely fuel criminal activity".
"There's no guarantee that the data would be destroyed or returned, and another ransom may be requested," he said.
"In short, would there be a situation where paying a ransom is advisable? I think, in general, it would only be done as an absolute last resort, and is unlikely to happen in the context of returning data."
At a Senate estimates hearing on Thursday, Australian Federal Police (AFP) Commissioner Reece Kershaw urged businesses to alert authorities of data breaches as soon as they became aware of them.
With the FBI now helping the AFP track down those behind the Medibank and data breaches, Mr Kershaw said the long and complex investigations would use significant resources.
"Apart from sending a warning to cyber criminals that the AFP will relentlessly pursue them, I also have a message to business - please alert authorities immediately when a data breach is suspected," he said.
"It's like any crime scene. The longer it takes relevant agencies to be informed, the harder it is for perpetrators to be identified, disrupted or brought to justice."
Law firms float Medibank class action
Meanwhile, two law firms, including one behind a successful case involving an NSW Ambulance data breach, say they believe Medibank betrayed customers and breached the Privacy Act by not stopping the hack.
"Medibank has a duty to keep this kind of information confidential," Bannister Law and Centennial Law said in a statement late on Monday.
"This latest data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank and ahm have failed policyholders in these circumstances."
No case has been filed with a court.
With AAP.
