Medibank says no customer data was compromised but its shares were placed in a trading halt
Australia’s biggest health insurer has sought advice from agencies and regulators over the cyber hack, but says it hasn’t found evidence customer data was accessed.
Medibank says it has held discussions with cyber security agencies and the prudential regulator after it detected “unusual activity” on its network late on Wednesday.
The ASX-listed insurer said it had taken down several systems – causing significant disruption to some customers – but added that there was no evidence that sensitive data, including personal information, had been accessed.
Medibank disclosed the attack on Thursday morning, and placed its shares in trading halt. Its AHM and international student policy systems were taken offline to reduce the likelihood of data loss.
David Koczkar, Medibank’s chief executive, said on Thursday that this would “cause regrettable disruptions for some of our customers” and investigations into the incident were “ongoing”.
“I apologise and acknowledge that in the current environment this news may make people concerned,” Mr Koczkar said.
“Our highest priority is resolving this matter as transparently and quickly as possible.
“We will continue to take decisive action to protect Medibank customers and our people.
“We recognise the responsibility we have to the people who rely on us to look after their health and wellbeing and whose data we hold. We are working around the clock to understand the full nature of the incident, and any additional impact this incident may have.”
Mr Koczkar said AHM and international student customers would still be able to access Medibank’s customer service teams by phone. “But at this stage our people won’t be able to access policy information,” he said.
By late Thursday, the company was “in the process of methodically and safely restarting the systems”. “The work we have done today continues to show no evidence that customer data has been accessed, however our investigation is ongoing,” Medibank said in a second statement.
“We have spoken with the Australian Cyber Security Centre, APRA, Office of the Australian Information Commissioner, Private Health Insurance Ombudsman, the Department of Health and the Department of Home Affairs over the course of the day to ensure that our regulators and other key stakeholders are informed,” the statement reads.
“We have begun the process of contacting our customers and our focus remains on ensuring the ongoing security of our customers, employees and stakeholders and the continued delivery of Medibank services.”
The Medibank attack follows a significant incident at Optus, with the disclosure of nearly 10 million customers’ private details including Medicare and passport data.
That incident created a rift between the telco and the federal government, which accused the company of hiding the true extent of the data breach and moving too slowly to work with agencies.
The Office of the Australian Information Commissioner and Australian Communications and Media Authority are reviewing why the telco had kept such extensive data on its customers.
Serious or repeated breaches could result in the OAIC seeking Federal Court penalties of up to $2.2m for each contravention.
This week, Telstra chair John Mullen warned against being too critical of Optus, saying a similar attack could affect any company. Indeed, last week about 30,000 current and former Telstra staff had their names and email addresses posted online following a breach of a third-party service
“Let me be blunt and say that it’s very easy to be critical when it isn’t you in the firing line, and we should all avoid hubris because no one can afford to be complacent,” Mr Mullen said.
Jonathan Reiber – a former Pentagon chief strategy officer for cyber policy who now works for online security firm AttackIQ – said the government should be working more closely with businesses to fend off hackers.
“The vast majority of cyberspace is owned and operated by the private sector, yet governments are responsible for organising their countries for war,” Mr Reiber told The Australian at the weekend. “This places governments in the position of needing to engage the private sector in combined defensive operations to counter cyber attacks, often on a voluntary basis as preparations need to occur in advance of the outbreak of hostilities.”
More Coverage
Future Fund goes too soft keeping corporates in line
Not only is the $290bn fund reluctant to put real heat on listed companies, it is painfully late to the proxy party.
EDO’s secret communications revealed as Santos chases costs
The Environmental Defenders Office is set to hand more documents to Santos, as the company tries to identify who funded a failed bid to block part of its $5.7bn Barossa LNG development.