The boss of embattled insurer Medibank says the value of the ransom demand from cyber criminals was "irrelevant" in the company's decision not to negotiate with the hackers.
The company informed the ASX this morning that the personal details of around 9.7 million current and former customers had been accessed in a massive cyber attack last month.
Among the data were names, addresses, dates of birth and phone numbers.
A smaller cohort, of almost half-a-million customers, had private health data accessed – including types of medical treatments they had claimed.
Medibank chief executive David Koczkar said the company would not pay a ransom to the cyber criminals, in an interview with the ABC's Afternoon Briefing.
"The amount of money that was demanded is actually, was irrelevant to the decision — the decision was based on the expert cybercrime advice," he said.
"Many people may think that paying extortion would guarantee the return of the data of our customers to us — you just can't trust a criminal.
"The reality is that making any payment would increase the risk of extortion for our customers, and put more Australians at risk."
Mr Koczkar refused to outline the dollar value of the ransom, and would only say the demand was made a couple of weeks ago.
"We continually, and will continue to work, with the government in particular, the Australian Federal Police who are investigating this, given it's a crime," he said.
"We stand by to support them in their investigations against the criminal, and we stand by ready to support our customers in the event that this data is released by the criminal."
Home Affairs minister Clare O'Neil said Medibank's decision was consistent with Australian government advice.
"Cyber criminals cheat, lie and steal. Paying them only fuels the ransomware business model," she said.
"They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals."
Medibank working to contact millions of hacked customers
The chief executive confirmed work was underway to contact the millions of customers, to inform them of exactly what records had been hacked.
"All of our customers, including current and former customers, have received individual emails several times in the last three and a half weeks," Mr Koczkar said.
"We've communicated all the information we had to hand, and my commitment was always as soon as it's clear to me, it'll be clear to our customers.
"So, based on this new information, we will be a yet again communicating individually to our customers to know exactly what data has been accessed and exactly what data hasn't been accessed, so that they're informed about what data of theirs is at risk."
Mr Koczkar avoided directly answering whether he expected Medibank customers to flock to other insurers, as a result of the hack.
"I will absolutely unreservedly apologise to all customers, both current and previous, who've been impacted by the cybercrime," he said.
"We will do everything we can to safeguard them and their data now and in the future.
"We will learn from this and we will implement additional changes so that we can continue to safeguard our customers in the future."