Lessons From An Insurer’s Huge Data Breach

Medibank, a huge Australian health insurance company, decided not to insure itself against cyberattacks. In hindsight, they should’ve known better. That’s one lesson to be drawn from the ongoing tale of the theft of data on 10 million current and former Medibank customers. There are others. The hackers spent a month or so rummaging around the personal affairs of the victims, then published a threat to release sensitive data, including detailed health information about both ordinary and notable people, and presented a demand for an unknown but very large ransom. Medibank has been roundly criticized for its slow response. It even made an announcement admitting to the breach, but saying it was unlikely that sensitive information was stolen (wrong). In an email exchange with the thieves, a company representative asks how they can be sure the hackers will delete the data if the ransom is paid. The hackers reply that they have a reputation to maintain, and “are interested in getting money, not destroying your company.” They didn’t bother mentioning that maintaining their reputation requires inflicting maximum pain if their demands aren’t met. When Medibank refused to pay (plan B?) the hackers proceeded to post what they’re calling “naughty” and “nice” lists of health records. The “naughty” list concerns people who’ve been treated for issues like addiction and eating disorders. The hackers claim they’ve only started releasing the stolen information. Lawsuits against Medibank are in the works. Estimates suggest that the company’s losses will be in the tens of millions of dollars. A final lesson – cyberattack insurance costs a lot, but it’s a bargain compared to having neither a plan nor an insurer.