This was published 1 year ago
Medibank chair says company’s cybersecurity was ‘clearly not robust enough’
By Colin Kruger and Tim Biggs
Medibank chairman Mike Wilkins has defended the private health insurer’s attitude to cybersecurity following the worst hack in Australian corporate history which exposed its entire base of 10 million customers.
“We have always taken, and we continue to take our IT security very, very seriously,” he told shareholders at the company’s annual meeting in Melbourne on Wednesday.
“We believe that our processes were robust, although clearly not robust enough in this circumstance. And we will seek to learn from that once we have completed this review,” he said.
The annual general meeting was the first time the company’s board and management team had fronted shareholders since it was hit by the damaging cyberattack last month which it says will cost it at least $35 million.
Over the past week, hackers have drip-fed sensitive health information about Medibank customers on the dark web in an attempt to pressure the company ahead of the AGM into paying a $10 million ransom fee.
While the AGM was at times fiery, shareholders did not protest the company’s remuneration report and all directors up for re-election were endorsed, in line with advice given by proxy groups.
Earlier at the meeting, Medibank chief executive David Koczkar sent a clear message to the criminals who hacked the records of its customers, insisting the insurer was not going to change its decision to reject the ransom demand.
“There is no doubt that rejecting the ransom demand was the right thing to do,” Koczkar told investors.
This week, the criminals declared that no further information would be released until Friday, indicating they would be watching the shareholder meeting with interest.
“There is some more records for everybody to know,” they wrote in a blog update.
“We’ll announce, that next portion of data we’ll publish at Friday, bypassing this week completely in a hope something meaningful happened on Wednesday.”
Koczkar said the company’s resolve had not diminished after the steady leak of sensitive customer data.
“While we unreservedly apologise for the impact of the release of the data, we cannot as a community, pay criminals who are likely to continue to extort us all – particularly when there is no guarantee that the criminal would ever delete the data. As I’ve said before, you cannot trust a criminal.”
Koczkar also warned that customers and media should not take the material published by hackers as fact.
“This is a complicated process. The data that’s actually on the dark web is sometimes not accurate. It’s not complete,” he said.
“We need to make sure we match the data back to the data in our systems to make sure that we communicate very clearly.”
He reiterated that Medibank’s current response to the crisis would incur costs of up to $35 million for the December half. This does not include further potential customer and other remediation, regulatory or litigation-related costs.
Wilkins apologised to investors and customers in his speech.
“It has caused distress and concern for many of our customers, our people and for you, our shareholders – many of whom I know are also customers,” he said.
“I unreservedly apologise to every person for the significant impact of this crime. It is a despicable act by the criminal seeking to extort payment based on the privacy concerns of our customers and must be condemned in the strongest possible terms.”
Wilkins said the board would continue to invest in mitigating these risks and indicated that major shareholders and advisers had shown support for the board.
Ahead of the meeting, proxy groups CGI Glass Lewis flagged that board renewal and executive scalps may be needed over the coming year and raised the spectre of executive pay “clawbacks” to account for any shortcomings that allowed the attack to be so damaging.
The hacking incident escalated again on Monday when this masthead revealed that employee data was also hacked, potentially opening up new vulnerabilities for Medibank’s computer systems.
The Australian Federal Police are stepping up efforts to contain the fallout of the hack amid emerging evidence that the sensitive health data leaked by the criminals is becoming more publicly available.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.