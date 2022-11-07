Medibank Australia has gone all-in in its stand-off with extortionist hackers, revealing almost 10 million people have been affected by the wholesale breach as it publicly vowed it will not pay any ransom with what appears to be tacit backing from the government for the stand.

Chatter in cyber circles on Monday was pointing to a potential line in the sand being drawn over the incident by Australian cyber authorities who have been in the US leading discussions about disrupting ransomware groups and operations.

The revelation that the Medibank data breach is now the size of the Optus breach is certain to shock Australians and pile pressure on home affairs minister Clare O’Neil to locate and bring to justice the perpetrators of the raid on Medibank.

Medibank revealed the full scale of its leakage on Monday at the commencement of trading on the Australian Securities Exchange, setting in motion a major support operation for customers affected by the hack.

Some outlets are reporting that part of the threats included the release of sensitive information of prominent Australians and celebrities who are or were Medibank customers, although this is a known tactic to flush out more people potentially ready to pay to avoid adverse publicity.

Common points of leverage for extortionists are addiction treatments, sexual and reproductive health and mental health.

Medibank CEO David Koczkar emphasised in a statement the company was working closely with cyber authorities and was on the same page as the government.

“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance [that] paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Koczkar said.

“It is for these reasons we have decided we will not pay a ransom for this event,” he said, with the Medibank statement adding that “this decision is consistent with the position of the Australian Government.”

The Medibank chief said the company was serious about its “responsibility to safeguard our customers” despite the mass exfiltration.

“The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Koczkar said.

It’s also a defacto attack on the banking and payments system because the worth of the stolen information is in enabling identity theft to steal money, commit credit fraud and dupe people into making real-time authorised push payments (APPs) to what appear to be legitimate accounts.

Banks appear deeply worried that the recent massive hacks could be precursor activity by criminals preparing to target Australia that is copying the English model of ‘open banking’ and authorised push payments that shifts liability for fraud straight onto consumers.

A recent Australian Banking Association submission to Treasury on the Consumer Data Right’s ‘action initiation’ segment, which is the Australian equivalent of the UK’s APP disaster, has directly questioned whether the proposal is safe.

“Work should be undertaken to understand potential use cases, the scams, fraud and cyber risks, the utility to customers compared with alternative options, and the regulatory or technology barriers that need addressing ahead of implementing any action type,” the ABA wrote to Treasury last month.

“The ABA recommends a full strategic assessment and a cost/benefit analysis be undertaken by Government to determine whether the cost of building for an action type is outweighed by the consumer benefit.”

