NewsBite

Advertisement

This was published 1 year ago

Medibank faces new year reckoning over hack attacks

By Colin Kruger

Health insurer and notable data breach victim Medibank Private’s management will be bracing for a brisk start to the new year, once the two reports examining whether they should cop the blame for the most damaging hack attack in Australia are handed down.

Regulators and proxy advisers have already made it clear that Medibank’s high command should suffer repercussions, both in terms of pay and job loss, if the reports find the insurer’s cyber defences to be wanting.

Medibank’s independent review by Deloitte is unlikely to be completed by the time corporate reporting season rolls around in February, but the private health insurer will almost certainly provide an update to the market on preliminary findings.

Regulators and proxy advisors have already made it clear that Medibank’s high command should suffer repercussions, both in terms of pay and job loss, for the data breach.

Regulators and proxy advisors have already made it clear that Medibank’s high command should suffer repercussions, both in terms of pay and job loss, for the data breach.Credit: Kara Lau

But the more significant report will be the one to be delivered by Australia’s privacy watchdog, which announced in December that it will conduct a formal investigation into the health insurer’s handling of customer data following the breach.

The Office of the Australian Information Commissioner (OAIC) said its investigation will focus on whether Medibank took reasonable steps to protect the personal information it held from misuse, interference, loss, unauthorised access, modification or disclosure.

“If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention,” it added.

Threats of legal repercussions

The biggest issue for Medibank is not the possible fines that may be imposed on it, rather it’s the potential for any adverse findings from the OAIC and the Deloitte reports opening the door for policyholders to seek compensation for economic loss and distress suffered as a result of the breach.

The privacy commission did not give a deadline for its investigation, but its annual report states that the OAIC has a target of completing 80 per cent of the investigations it initiates within eight months.

Advertisement

“Where the commissioner considers there is sufficient public interest in an incident, the commissioner may publish a report of the investigation,” the OAIC said.

Law firm Maurice Blackburn lodged a representative complaint with the OAIC the very morning the commission announced its investigation. The firm is alleging Medibank failed in its duties by failing to take steps to protect its customers’ personal information, and any adverse findings by the OAIC will boost the prospects of compensation.

‘We believe that our processes were robust, although clearly not robust enough in this circumstance.’

Medibank Private chairman Mike Wilkins

Bloomberg Intelligence estimates that a compensation claim could easily reach $700 million.

The criminals accessed basic account details of 9.7 million current and former Medibank customers as well as the health claims data for about 160,000 Medibank customers, 300,000 customers of its budget arm ahm and 20,000 international customers.

Greg Austin, a cybersecurity expert with geopolitical think tank the International Institute for Strategic Studies (IISS) says culpability should be an issue for Medibank – as its chairman Mike Wilkins inadvertently admitted at its AGM in November.

“We believe that our processes were robust, although clearly not robust enough in this circumstance,” Wilkins told investors.

Medibank chairman Mike Wilkins: The insurer’s board and management are bracing for the findings of reports looking into how the hack attack could happen under their watch.

Medibank chairman Mike Wilkins: The insurer’s board and management are bracing for the findings of reports looking into how the hack attack could happen under their watch.Credit: Luis Enrique Ascui

Austin, for one, was surprised that the compromised access to just one person’s work credentials at Medibank led to access of its entire database, including employee details.

“Nobody at a bank can get access to all of the bank’s customer data through their access credentials. It’s all compartmented,” he said.

“What seems to have been the case at Medibank is they got everything because there was somebody in the organisation who had the administrative authority to get everything.”

Financial impact

The financial impact appears to be reflected in the private health insurer’s share price – with Medibank’s market valuation shedding nearly $2 billion since the incident became public. And investors shouldn’t expect a quick recovery either.

Glenn Withers, a professor of economics at ANU, has helped developed a study on the stockmarket impact of cyber incidents on S&P500 sharemarket benchmark, which includes some of the biggest US corporations.

“What we found is that (cyber incidents) have a very serious effect,” he said. And the negativity does not dissipate once a remediation is sorted.

“Most of them are in the range of about a 5 to 15 per cent loss of stockmarket valuation in the first one to two years after a major cybersecurity event,” he said.

Loading

But he warned that serious cyber breaches can require a lot of corporate upheaval before the victim can recover.

“What we can also say is, where the (cyber) effect is large, quite often the way a company recovers is by takeover and management renewal. You’ve got to reconstruct a company that is the most severely hit to get yourself back on track.”

He thinks this is applicable in Medibank’s case.

“I would have thought that a very substantial renewal is going to be required in this case,” he said. “It won’t be a short-term remedy at all.”

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.

Most Viewed in Business

Loading

Original URL: https://www.theage.com.au/link/follow-20170101-p5c35z