Medibank confirms all 3.9 million customers exposed to hack

The cyber attack is expected to cost the insurer, which does not have cyber insurance, between $25m and $35m.

Sarah Ison, JESS MALCOLM and Jared Lynch

The cyber attack is likely to cost Medibank between $25m-$35m, not including potential customer remediation, or litigation related costs. Picture: NCA NewsWire / Paul Jeffers

2 min read

10:26AMOctober 26, 2022.

Updated 9:51PMOctober 26, 2022

The Australian Business Network

Medibank is investigating whether it failed to adequately defend against cyber attacks after revealing all 3.9 million of its current customers have been exposed to a data hack.

An undisclosed number of former customers have also been affected thanks to Medibank retaining data as required by laws in the ACT, NSW and Victoria mandating health records be kept for at least seven years.

The health insurer revealed the breach of its network – through stolen Medibank credentials purchased off on an online criminal forum – had allowed an unknown criminal access to all personal data and a “significant amount” of intimate health information.

The hack has cost Medibank between $25m and $35m so far, for which it is not covered because of the “cost” of such insurance.

“It’s cost. Costs went up significantly over the last couple of years,” chief financial officer Mark Rogers said. “It’s coverage, so how much cover you can actually get in terms of the total amount of exposure plus the risk share.”

Mr Rogers said he wouldn’t have expected the majority of costs incurred by Medicare to be covered even if the company had insurance.

Australian Chamber of Commerce and Industry chief executive Andrew McKellar said the rise in the number and severity of cyber attacks had significantly impacted insurance premiums, making it challenging for small businesses in particular to insure against hacks.

Fergus Hanson, director of the Australian Strategic Policy Institute’s international cyber policy centre, said he wasn’t surprised Medibank didn’t have insurance.

“Because there are so many different ways it can happen and different loopholes in contracts, it can be hit and miss whether you get coverage when an event happens,” he said.

The $35m cost incurred by Medibank does not include the reimbursements it has promised to pay for the reissuing of identity documents. Medibank said it had deferred premium increases after confirming Medibank customers’ data had been stolen as well as that of ahm and international students. The deferments are estimated to cost the company north of $50m.

Chief executive David Koczkar said the attack was a “a terrible crime” designed to cause “maximum harm” to the most vulnerable members of the community.

Research and advisory firm ADAPT said the news all customers had been exposed was “the worst possible outcome for Medibank customers” and companies needed to reconsider how much information they retained. “While people generally understand maintaining bulletproof security in the face of sophisticated attacks is really hard, customers won't readily forgive companies who can’t show they took all reasonable steps to protect their information, even after an initial data breach,” ADAPT research director Archie Reed said.

Medibank would not confirm how much it had spent on cyber security but said it had engaged Crowdstrike, Microsoft, Threat Intelligence and the Australian Cyber Security Centre to protect it against attacks. As part of its defence system, Medibank ran regular drills simulating cyber attacks, some of which lasted for more than two days, in what is considered “best practice”.

When asked if Medibank conceded that it failed to employ sufficient defences against cyber-attacks, the insurer said: “That will form part of our investigation.”

Labor on Tuesday introduced privacy laws to parliament that will significantly increase the minimum fines for companies involved in security breaches to a minimum of $50m, or up to 30 per cent of their turnover in the “relevant period”.