Should Australia's Medibank Give in to Extortionists?Australia's Most Severe Cybercriminal Incident Has No Good Solution
Australian health insurer Medibank is in a no-win position. An extortion group says it stole 200 gigabytes of company data, files the insurer says affects virtually its entire customer base of 4 million people
The data includes personal data and health claims data for Medibank customers, the company's international student customers and for its "ahm" health insurance brand. It's the most severe cybercriminal incident in Australian history (see Fallout From Medibank Hack Grows).
Should Medibank pay off the extortionists and prevent the release of sensitive medical documents related to millions of Australians?
Medibank could, of course, pay a ransom and the records sold on the sly anyway. But paying could prevent a mass data dump easy for lots of bad people to access.
Many top-shelf consultancies blithely couch paying ransoms to recover data as a cost of doing business. It's pure realpolitik but a clinical, tone-deaf view of criminal acts. It also supercharges more acts of ransomware and extortion (see Paying Ransomware Actors: 'It's a Business Decision').
The official advice from the Australian government has been to not give cybercriminals money because they come back for more. The last few weeks have been rough in Australia on the data breach front with back-to-back data breaches that have affected most of the country's population (see Australia's Data Breach Wave: Workaday Cybercrime).
Ban Paying Ransoms?
There's a debate in Australia whether the government should outlaw paying ransoms. This is a bad idea. It punishes cybercrime victims. It's difficult to enforce. Police should be fighting cybercriminals, not wasting time pursuing victims who paid. And, it will kill some businesses.
Here's why the ransom question is so hard from a utilitarian perspective. Is it better for a small company to pay $800,000 in ransom in order to recover data and prevent the business from going bankrupt and having to lay off 60 employees? Yes, it is.
Medibank's situation is different. The fact the data is in cybercriminals' hands isn't an operational impediment, which is why many organizations pay. It's digital hostage taking. It's way worse than compromised driver's license numbers, passport numbers and Medicare numbers exposed in the Optus breach (see Optus Attacker Halts AU$1.5 Million Extortion Attempt).
If we choose that Medibank should pay, what's the value of preventing a sudden dump of 200 GB of sensitive data? It's high but not infinite. The lack of trust and control over what cybercriminals may subsequently do means paying outrageously high ransoms don't make sense.
Is it better that Medibank pays to prevent a mass release of records but accept that it's likely some of the data will be sold anyway quietly? Perhaps. That may help avoid mass anxiety if the entire 200 GB batch of data is dumped on the internet.
Another disadvantage of paying is that it usually invites more attacks from other groups. That means if Medibank doesn't get its IT security house in order quickly, it could find itself in the same position a few weeks down the road. And Australia has already had enough on its plate the last few weeks.