Medibank executives to keep millions of dollars in bonuses after Russian cyber attack
Australia’s biggest health insurer won’t review executive remuneration until after an investigation into devastating cyber heist.
Medibank chief executive David Koczkar and other executives will keep their bonuses – worth more than $7.3m – after Russian cyber criminals exposed the health records and other sensitive data of almost 10 million customers, including the Prime Minister.
The health insurer’s chair Mike Wilkins defended the group’s handling of one of Australia’s biggest data heists, facing a barrage of questions from shareholders at the company’s annual meeting in Melbourne on Wednesday.
Almost $2bn has been wiped off Medibank’s market value since it disclosed the attack last month, while the hackers have released customer health records – including treatment for drug and alcohol abuse, various mental health conditions and abortions.
Despite the breach – the clean-up of which Medibank expects to cost up to $35m, although some analysts estimate the bill could be as high as $150m – Mr Wilkins said the group’s executive team will keep their bonuses.
He said the board would not consider adjusting remuneration until next year after it completes an external review of the attack.
“That’s something that we will take on board for the 2023 year once we have got the full results of the investigation,” Mr Wilkins said.
“That will take some time to complete, but the board is very well aware of the need to make sure that there is an alignment between remuneration and outcomes on all matters.”
Medibank said on Wednesday it has begun communicating with 480,000 customers whose health data it believes the Russian hackers have stolen out of the 9.7 million current and former policyholders who have had their information exposed in the attack.
“Whilst nothing is certain, the criminal may continue to release files on the dark web,” Mr Koczkar said.
“We have continued to email new groups of customers each day. Providing personalised updates to our customers is an incredibly complex process – and it is important to get it right.”
“This ongoing work continues and requires our people to analyse millions of records across numerous applications and match customer data from multiple sources.”
The criminals began releasing customer data after Medibank refused to pay a $15m ransom. Mr Koczkar said the group cannot reward criminal behaviour and “strengthen a business model that is based on extortion”.
Meanwhile, Melbourne headquartered law firm Maurice Blackburn is investigating a legal claim to determine whether customers are entitled to compensation.
Mr Koczkar received $1.1m in bonuses last financial year, bringing his total remuneration to $2.59m. He also received $2.33m – or 150 per cent of his fixed salary – in shares under the company’s long-term incentive plan.
Mr Wilkins said: “Medibank aims to reward executives fairly for delivering the company’s strategy in a manner that meets community and customer expectations and delivers sustainable shareholder returns”.
Despite the criticism, shareholders overwhelmingly supported Medibank’s remuneration report and Mr Koczkar’s performance rights, voting 94 and 97.8 per cent in favour respectively. It comes as several companies, including oil giant Santos and vitamins maker Blackmores, have received first strikes against their executive remuneration packages this AGM season.
One Medibank shareholder quipped: “Will the board be nominating itself for a Nobel Prize?” Mr Wilkins replied: “No, but that you for your support”.
The remuneration report relates to the 2022 financial year, in which the company’s net profit slumped 10.7 per cent to $393.9m after volatility on financial markets tipped its investment portfolio into a $24.8m loss. This compared with a $120m gain the previous year.
But profit in its core health insurance business jumped 10 per cent to $592.6m.
“We said at the release of the FY22 financial results that our capital position remained strong and the board determined shareholders would receive a final fully franked ordinary dividend of 7.3c per share – an increase of 5.5 per cent over the prior year – and this brought the total full year dividend to 13.4 cents per share fully franked,” Mr Wilkins said.
Medibank has maintained is earnings guidance for this financial year, but has withdrawn its policyholder growth estimate, which was expected to be 2.7 per cent this year, following the cyber attack.
Mr Wilkins said that Medibank’s cybersecurity procedures were “robust” but conceded that they were “clearly not robust enough in this circumstance”.
“We will seek to learn from that once we have completed this review.”
Asked which Medibank directors – which include former Queensland Premier Anna Bligh, Tracey Batten, Gerard Dalbosco, Peter Everingham, David Fagan, Kathryn Fagg and Linda Bardo Nicholls – had “extensive information technology experience”, Mr Wilkins said none were IT professionals.
But he talked up the expertise of Mr Everingham – who is also a director of Super Retail Group and has “senior leadership experience … at companies with a strong consumer and technology focus”.
“Part of the reason for asking Peter Everingham to join our board was to bring his considerable digital experience to bear, given the nature of where we see that going and the way in which we want to continue to digitally serve our customers,” Mr Wilkins said.
“Is anyone an IT professional? No, they are not, but a number of us have considerable experience across business and IT is part of that.”
Before the breach, Medibank said it successfully repelled about 250 million cyber attacks a month.
Mr Wilkins did not comment on how the Russian hackers obtained a high-level Medibank login to access its customer database, citing an Australian Federal Police investigation into the matter.
He defended the login procedures at Medibank, where many employees work remotely and access the company’s systems from home and locations other than the group’s offices.
“We think our access processes have been quite robust in terms of that. Certainly, we’ve had multi-factor authentication as a standard across our systems for some time.
“I can attest to that given that I’d forgotten my password once, it needed to go through quite a rigmarole to be able to get back into the system, including two-factor authentication. So we think that our staff still need to go through those protocols to be able to access our systems.”
One shareholder said she was a victim of the data breach and criticised the company about how it informed her health records had been stolen and published on the dark web.
“What I don’t like is that when I was communicated with, that my personal data had been accessed, it looked like all the other updates. So I actually didn’t look at that information until later, and it was sent quite late on Friday,” the shareholder said.
“So I’ve spent the weekend, where possible, contacting certain organisations to try and beef-up my own security.”
The shareholder asked if Medibank was attempting to remove customer data from the dark web, given customers used the information that was leaked to identify themselves when they contacted the health insurer.
“And also, what are you looking to do to not hold my information any longer than is absolutely necessary?”
Mr Wilkins apologised that Medibank’s customer communications appeared repetitive and said Medibank could not remove information from the dark web.
“However, we are speaking regularly with the Australian Cybersecurity Centre and with the Australian Federal Police. And I know that they are monitoring the dark web and seeking to remove that data where they can, but I don’t think that I can give you any guarantees on that in terms of holding information.
Mr Koczkar said determining whether a customer had their data stolen and published was an “incredibly complex process”.
“It is important to get it right. This ongoing work continues and requires our people to analyse millions of records across numerous applications and match customer data from multiple sources,” he said.
“And for our customers whose health data has been published on the dark web, we’ve prioritised those communications, advising them as quickly as we can that their health data has been published, within 48 hours of this data appearing.”
Medibank shares closed steady at $2.81, giving it a market capitalisation of $7.74bn, in a slightly lower market.
More Coverage
New CEO for Pacific Smiles
After a tumultuous year, takeover target Pacific Smiles has appointed an experienced chief executive to steady the company.
Macquarie’s new lighthouse is all about the AI boom
Investment bank Macquarie wants to build another AirTrunk, and the infrastructure supporting the tech revolution sits at the heart of its plans.