You have 0 free articles left this month.
Register for a free account to access unlimited free content.
accountants daily logo

Medibank hackers made off with complete database on 9.7m


UPDATED: Millions more compromised by the cyber crime and insurer says paying a ransom would fail to protect data.

By Philip King 13 minute read

The name, date of birth, address, phone number and email for around 9.7 million past and present customers was stolen by the Medibank hackers, the insurer confirmed this morning, more than doubling the number previously thought exposed by the crime.

Medibank said it now believed its complete database had been accessed by the criminals but it would refuse to pay a ransom.

“Given the nature of this crime, unfortunately we now believe that all of the customer data accessed could have been taken by the criminal,” Medibank said.


“Based on our investigation to date into this cybercrime we currently believe the criminal has accessed:

“Name, date of birth, address, phone number and email address for 9.7 million

current and former customers and some of their authorised representatives.

“This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers.”

Following advice from cybercrime experts it would refuse to pay a ransom because “we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published” and could have the opposite effect of encouraging direct exhortation of customers by the cyber criminal.

“This is a significant decision for the business and we’ve had extensive expert advice and the reality of that advice is that there was a small chance that paying a ransom – you can call it extortion – that it was very unlikely they may return customer data,” Medibank CEO Mr David Koczkar told The Australian.

“In fact, you just can’t trust a criminal. It’s more likely that this will put more of our customers at risk through increased extortion and actually make Australia a bigger target. That’s consistent with the government policy on paying ransom, so that’s why we’ve made the decision we have to not pay a ransom.”

As well as the data outlined above, the breach had also exposed:

  • Medicare numbers (but not expiry dates) for ahm customers.
  • Passport numbers (but not expiry dates) and visa details for international student customers.
  • Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers, including service provider name and location, and procedure codes.
  • Some personal and health claims data of around 5,200 My Home Hospital patients and contact details for around 2,900 next of kin of those patients.
  • Health provider details, including names, provider numbers and addresses.

Medibank said it did not believe the criminal had accessed credit card and banking information nor the details of primary identity documents such as drivers’ licences.

It said customers should remain vigilant as the criminal may publish customer data online or attempt to contact customers directly. 

“We acknowledge how distressing this will be for our customers and apologise unreservedly,” Medibank said.

“We will continue to inform affected customers of what data we believe has been accessed or stolen and provide advice on what they should do.”


You need to be a member to post comments. Become a member for free today!
Philip King

Philip King


Philip King is editor of Accountants Daily and SMSF Adviser, the leading sources of news, insight, and educational content for professionals in the accounting and SMSF sectors.

Philip joined the titles in March 2022 and brings extensive experience from a variety of roles at The Australian national broadsheet daily, most recently as motoring editor. His background also takes in spells on diverse consumer and trade magazines.

You can email Philip on: This email address is being protected from spambots. You need JavaScript enabled to view it.

You are not authorised to post comments.

Comments will undergo moderation before they get published.

accountants daily logo Newsletter

Receive breaking news directly to your inbox each day.