Medibank defends decision to not pay hackers ransom for stolen data as it contacts 480,000 customers
Nassim Khadem and Daniel Ziffer report:
Medibank’s boss says the company will begin directly communicating with nearly half a million customers whose health data is believed to have been stolen, weeks after it first became aware hackers had breached its customer database.
Medibank’s chief executive David Koczkar said the company had today started communicating with about 480,000 customers whose health data was believed to have been stolen.
Read more at ABC (Au).
Comments: DataBreaches believes that they are wise to prioritize letters to those whose personal and health information has already been leaked on the dark web. And it’s helpful that they explain their reasoning for not paying the ransom demand.
What’s not wise is that their chief executive reportedly received a $2.3 million bonus “after shareholders accepted it at the company’s annual general meeting on Wednesday.”
There will undoubtedly be those who will complain that had the company invested that money in cybersecurity, the breach might not have happened. Others will be offended that executives who didn’t prevent this horrific breach are being rewarded. And, of course, there will be threat actors who will point out that if the company could pay out $2.3 million like that, it could have paid them their ransom demands and spared the anguish and trauma Medibank’s members are experiencing now.
Medibank’s stock value has reportedly plummeted 18% already from this breach. Some potential class action lawsuits have already been filed. This will be a very costly breach for Medibank by the time all the figures are in. Should they have given their executive a salary boost under the circumstances? It’s not a good look for the insurer.