Medibank executives are standing by their call not to pay a ransom to the Russian hackers who stole millions of customers’ personal data.

The company’s board is expected to face a grilling from shareholders at Medibank’s annual general meeting on Wednesday, which comes a month after hackers stole personal information of the health insurer’s current and former customers.

Medibank has announced an external review to be performed by Deloitte, adding it has already boosted security measures in the wake of last month’s hack.

The company has also begun communicating with around 480,000 customers it believes had their health data stolen.

“Safeguarding our customers’ data is a responsibility we take very seriously and we will continue to support all people who have been impacted by this crime,” chairman Mike Wilkins said.

“There is no doubt that this crime is having an enormous impact on our customers and our community. This is a shocking crime, the size and scale of which we have never seen before.”

But Mr Wilkins said paying a $US9.7 million ransom was never an option and would have supercharged the hacking industry if the company had done so.

“Based on extensive advice from cybercrime experts, we formed the view that there was a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” he said.

“In fact, the advice we have had is that to pay a ransom could have had the opposite effect and encouraged the criminal to directly extort our customers, and put more people in harm’s way by making Australia a bigger target.”

The hackers have indicated they’ll be watching the meeting to see if the insurer opts to take a different course.

Releasing the latest batch of stolen information – 500 records relating to mental health and other treatments – the hackers said they wouldn’t post more until the meeting was over.

“There is some more records for everybody to know,” the hackers wrote in an update.

“We’ll announce that next portion of data we’ll publish at Friday, bypassing this week completely in a hope something meaningful happened on Wednesday.”

Medibank CEO David Koczkar said the company had started the process of contacting the half a million customers whose sensitive data had been taken.

“Providing personalised updates to our customers is an incredibly complex process, and it is important to get it right,” he said.

“This ongoing work continues and requires our people to analyse millions of records across numerous applications and match customer data from multiple sources.”

A 100 officer-strong cybercrime operation targeting the hackers will be led by the Australian Federal Police and Australian Signals Directorate.

Data including names, phone numbers, Medicare numbers and sensitive health information was taken by the hackers during the breach.

Medibank shares sat at $3.55 before the hack but have since dropped to as low as $2.75 per share.

Shareholders are expected to vote on performance bonuses for Medibank’s executives and re-elect directors.

 

Alex Mitchell
(Australian Associated Press)