Medibank has commissioned big four auditing firm Deloitte to conduct an external review into the devastating mid-October ransomware breach, which saw highly sensitive customer data from across the health insurance group being leaked onto the dark web.

Medibank chair Mike Wilkins announced the commissioning during the company’s AGM address to shareholders today, stating that the health insurer would openly “share the key outcomes of the review, where appropriate” to the interests of its customers, stakeholders and the ongoing Federal Police investigation.

He added that Medibank is “committed to sharing, where it is safe to do so”, learnings from the breach to help guide and protect Australian businesses and the broader community from similar such data loss events.

The company said it will continue to work closely with the Australian Government, including the Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP), during its investigation into the breach.

Chief executive David Koczkar also revealed the company has commenced personalised communications with around 480,000 customers whose health data was compromised.

“We commenced this as soon as this data was verified by our team,” Koczkar said, noting the company faced challenges in providing personalised updates to the considerable number of affected customers.

“This ongoing work continues and requires our people to analyse millions of records across numerous applications and match customer data from multiple sources.”

“And for our customers whose health data has been published on the dark web, we’ve prioritised those communications, advising them as quickly as we can that their health data has been published, within 48 hours of this data appearing.”

Medibank said it had also proactively contacted customers “who we know are uniquely vulnerable to provide them with additional support and care”.

‘No’ to ransom payment

Wilkins also defended Medibank’s decision not to pay the ransom demanded by the hackers, acknowledging the limited likelihood that any such payment would result in the secure return of stolen data.

The hackers, believed to be from a Russian criminal syndicate known as ‘REvil’ (or ‘ransomware evil’), had reportedly demanded US$1 (AU$1.60) for each of Medibank’s 9.7 million customers.

As of 11 November, Medibank confirmed that the personal information of more than five million customers has so far been released.

“From the outset, Medibank has been committed to doing the right thing by our customers, our people and the community in relation to this cybercrime,” Wilkins said.

“This includes our decision not to pay any ransom demand for this data theft.

“Based on extensive advice from cybercrime experts, we formed the view that there was a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.

“In fact, the advice we have had is that to pay a ransom could have had the opposite effect and encouraged the criminal to directly extort our customers, and put more people in harm’s way by making Australia a bigger target.

“It is for these reasons we could not pay.”

Koczkar added: “The weaponising of the private data of many Australians – our customers – is malicious”.

“We are steadfast in our resolve to not reward this criminal behaviour, nor to strengthen a business model that is based on extortion.”

The Federal Government’s Cyber Security Minister Clare O’Neil, speaking on ABC’s Insiders program last Sunday, has also backed Medibank’s decision not to pay the $15 million ransom.

“We’re standing strong as a country against this, we don’t want to fuel the ransomware business model,” O’Neil said.

Cybercrims continue to leak

Koczkar warned that criminals may continue to release personal data captured in the ransomware breach.

In a company update issued on Monday, the Medibank chief warned leakers that law enforcement authorities “will take swift action against anyone attempting to benefit, exploit or commit criminal offences using stolen Medibank customer data”.

“We continue to work closely with the Australian Federal Police who are focused, as part of Operation Guardian, on preventing the criminal misuse of this data.”

In his address to shareholders, Koczkar declared the cybercrime event as “unprecedented” in both its scale and impact.

“This is a shocking crime – the size and scale of which we have never seen before.”

“It has caused distress and concern for many of our customers, our people and for you, our shareholders – many of whom I know are also customers.”

The breach event, first publicly acknowledged by Medibank on 13 October and now considered one of the largest and most high-profile cyber hacks in Australian corporate history, saw the capture and release of highly sensitive customer data, including names, email and home addresses, phone numbers, Medicare numbers, dates of birth, passport numbers and visa details.

It also included personal health claims data for a smaller number of Medibank Group customers (reportedly around 160,000 Medibank customers, 300,000 ahm customers, and 20,000 international customers) which included details on medical procedures, service provider names, and locations and codes associated with diagnosis and procedures given.

In the wake of a spate of recent high-profile cyber breaches, the Australian Government has also announced it will move to pass new laws increasing the maximum fine for breaches of the Privacy Act to $50 million (up from just $2.2 million) or 30 per cent of a company’s adjusted turnover in the relevant period.