People walk past a Medibank branch.
Medibank, Australia's largest health insurer, announced it will not pay to recover the data of 9.7 million customers affected by a ransomware attack. (Photo by Scott Barbour/Getty Images)

Medibank, Australia’s largest health insurer, announced Monday that it will not pay a ransom to the hacker behind the recent data theft affecting 9.7 million customers.  

The company noted that based on advice it received from cybercrime experts, the hacker is unlikely to shield and return the stolen information even if the ransom is paid.  

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Medibank CEO David Koczkar said in a statement Monday.  

Medibank last month revealed that the hacker used compromised high-level credentials to access customers’ personal information. According to the latest investigation, the company said it believed that criminals accessed the names, dates of birth, addresses, phone numbers, and email addresses of around 9.7 million current and former customers, including 2.8 million ahm insurance holders and 1.8 million international customers.

Medibank has determined that the hacker also gained access to Medicare numbers for ahm customers, and passport and visa information for international student customers. The hacker did not obtain banking details, primary identity documents, and health claims data for extras services.

According to Koczkar, Medibank will commission an external review to learn from the attack and share information with the public.

Rohit Dhamankar, VP of threat intelligence and product strategy at Fortra, said he “wholeheartedly” supported Medibank for its decision not to pay the ransom and urged the community to work together against data breaches.

“Medibank knows what customers have been compromised and the kind of personal information that has been stolen. Other organizations need to work with Medibank, including other financial institutions where the stolen IDs could be misused,” Dhamankar told SC Media. “If the ecosystem spends money and effort in extra surveillance around the data lost and preventing its misuse, that will further show the strength of a united community countering this menace.”

Meanwhile, Medibank warned its customers to stay vigilant as the criminal may leak customer data online or try to contact customers directly. The company said it will continue to support customers through its Cyber Response Support Program, which includes mental health and wellbeing support, identity protection, and financial hardship measures.

Medibank said it is required by law to keep customer data for seven years or longer when a customer leaves the service. Koczkar told the Guardian that “there needs to be consultation and discussion” among the Australian government on whether this law should be changed.

The Medibank incident is only the latest in a string of attacks among corporate Australia over the past few weeks, with telecom giant Optus confirming a breach affecting up to 10 million customer accounts, and Telstra’s third-party suppliers being hacked.