Medibank hack: millions more Aussies potentially caught in hack
edibank is investigating whether it failed to adequately defend against cyber attacks after revealing all 3.9 million of its current customers have been exposed to a data hack.
Medibank’s market value slumped about $1.7bn on Wednesday as hackers linked to an online Russian criminal forum threatened to expose the health records and other sensitive information of millions of Australians.
Medibank withdrew its guidance on policyholder growth — citing the uncertainty around the attack and the extent of its fallout — sending its shares diving on Wednesday as they emerged from a seven-day suspension of trade.
It closed down 18.1 per cent at an 18-month low of $2.87.
But chief executive David Koczkar refused to say whether the group would pay a ransom to the cyber criminals, despite saying he expects the mass theft of customer data — including health records and Medicare numbers — to cost the company at least $25-35m.
This compares with Woolworths chief executive Brad Banducci saying the supermarket chain is spending more than $60m on cybersecurity — double the amount on last year — and up to a further $20m on capex to strengthen its digital defences.
Most of that cash Medibank has earmarked will be spent on bolstering customer identity protections and extra staff for its call centre and external cybersecurity consultants. It does not include any potential customer remediation payments.
Medibank — Australia’s biggest health insurer with more than 27 per cent market share — revealed on Wednesday the data of all its 3.9 million policyholders has been compromised.
But millions more Australians potentially risk having their sensitive information released unless Medibank pays the cyber criminals a ransom, with the company sending letters to scores of former customers — including those who are dead.
In the past two years alone, more than 1.5 million Medibank customers have changed funds – with the company having churn rates of 14 and 25 per cent respectively in 2021 and 2020. Medibank is still calculating the total number of former customers with data exposed in the breach.
“We believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially,” Mr Koczkar said.
Medibank is legally required to retain customer information for seven years for adults and up to 25 years for children, creating a honeypot for cyber criminals. Mr Koczkar branded the attack a “terrible crime” aimed at inflicting “maximum harm”.
He also said Medibank did not have cyber insurance, meaning its shareholders will foot the $25-35m bill.
But Mr Koczkar declined to say whether Medibank had earmarked a portion of that amount to pay a ransom, which would effectively buy back the stolen customer data and prevent its release.
“Given the sensitive nature of this event, I can’t go into any detail and won’t comment on this. This is subject to a criminal investigation,” he said.
While a McGrathNicol study found most Australian companies pay cyber criminals ransoms – with the average payment totalling $1.28m – to stop an attack, online experts are warning Medibank against caving into hacker demands, saying it will make Australian companies a soft target and spark further breaches.
Medibank chief financial officer Mark Rogers said it was too early to say how the attack’s damage bill and potentially further costs related to the breach will affect the company’s dividend.
“We haven’t made a decision on how we report that number within the financials other than to say we’ll be fully transparent on the cost at the half-year results. It’s too early also for us to actually determine how we’ll strike the first half and second half dividend,” Mr Rogers said.
“That will really depend on the underlying business momentum and the level of unallocated capital at the time.”
Woolworths chief executive Brad Banducci said the company had “learnt a lot” after a separate cyber attack on the supermarket chain’s MyDeal marketplace, which exposed the data of 2.2 million customers, earlier this month.
“We’re doubling down on efforts,” Mr Banducci said. “If you’re a public company like Woolworths the standards are there and we should have moved more quickly to address what was well underway.
“We doubled our spend on cyber between FY18 and F20 and doubled it again in FY21 and FY23. We have over 120 specialists working in our business today as well as the core IT team.”
Mr Banducci said most of the cybersecurity risks related to “core IT and unauthorised user access or someone finding someone’s password”.
As late as Monday last week Medibank said it was yet to find any evidence that customer data was stolen. This was despite detecting suspicious activity in its customer database on October 12.
This suspicious activity was a criminal – who bought a high-level logon for Medibank’s database from a Russian language website – transferring about 200GB of customer information into zip file.
“Our investigation has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data. The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal,” Mr Koczkar said.
“We believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially.”
Mr Koczkar withdrew policyholder guidance on Wednesday after warning last week that he did not expect the breach to derail Medibank’s earnings, citing the “uncertain impact of this cybercrime event”.
Instead, Medibank will provide another trading update at its half-year financial results in February.
Mr Koczkar said the hack will likely cost $25-$35m pre-tax, but warned the bill could be more expensive.
“These non-recurring costs do not include further potential customer and other remediation, regulatory or litigation related costs.
“This cybercrime event continues to evolve and at this stage, we are unable to predict with any certainty the impact of any future events on Medibank including the quantum of any potential customer and other remediation, regulatory or litigation related costs.”
On Tuesday, Medibank said it has deferred premium increases after confirming its cybercrime event included theft of Medibank customer data as well as that of ahm and international students. The deferments are estimated to cost the company north of $50m.
The criminal behind the Medibank data hack bought login credentials to gain access to the network from an online Russian criminal forum and did extensive reconnaissance before collecting the data, which experts estimate would have lasted months.
“Our investigation has now established that the criminal had access to: all AHM customers’ personal data and significant amounts of health claims data; all international student customers’ personal data and significant amounts of health claims data; all Medibank customers’ personal data and significant amounts of health claims data,” Mr Koczkar said.
“The investigation into the cybercrime event is continuing, with particular focus on identifying which systems and networks were accessed and what data was removed by the criminal.
“Concurrent to the investigation, Medibank has prioritised preventing further unauthorised entry to our IT network and is continuing to monitor for any further suspicious activity. This has included bolstering existing monitoring, adding further detection and forensics capability across Medibank’s systems and network and scaling up analytical support via specialist third parties.”
The hackers punctured Medibank’s cyber defence strategy – which is considered best practices and has successfully fended off 250 million attacks known as perimeter attempts a month – to steal “very specific” customer data, including sensitive health information such as the medical conditions customers have been diagnosed with and treatment they were prescribed.
This could potentially include deeply personal information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.
It comes as net resident policyholder growth in the three months to September 30 was 14,600. This represented growth of 3.2 per cent on an annualised basis – above Medibank’s previous guidance of about 2.7 per cent, which it said assumed a “modest decline in industry participation growth in FY23 relative to FY22”.
The company, which has a market value of $9.65bn, said its underlying net claims expense continued to track below the FY23 outlook of 2.3 per cent.
“This has resulted in further permanent net claims savings due to Covid-19 of approximately $62m and these savings will offset the cost of the deferral of premium increases for Medibank and AHM.
“As at September 30 2022, our health insurance capital ratio was 13.4 per cent, and unallocated capital was approximately $150m.”
More Coverage
Westpac banks on new CEO to take over from King
Wealth and business banking boss Anthony Miller will continue Westpac’s technology and risk transition plans when he takes over the top job from Peter King in December.
ASX 200 to fall; Westpac, Star on watch
Anthony Miller to take over Westpac top job from Peter King in December. Star financial results, other updates awaited. Wall Street's ugly week of losses as soft US jobs data triggers hard landing fears.