Medibank breach widens in ‘distressing development’

The insurer has deferred premium increases, saying the cyber attack affecting customer data is much wider than it originally thought.

David Swan

4 min read

11:33AMOctober 25, 2022.

Updated 2:55PMOctober 25, 2022

The Australian Business Network

Federal govt to increase fines for serious data breaches to a minimum of $50m

Medibank says the cyber attack affecting customer data is much wider than it originally thought, confirming in a ‘distressing development’ that data from its main brand was compromised alongside that of ahm and international students.

The insurance provider said on Tuesday it has deferred premium increases after confirming its cybercrime event included theft of Medibank customer data as well as that of ahm and international students. The deferments are estimated to cost the company north of $50m.

The stolen data includes customers’ names, addresses, contact information, claims information and birth dates.

“This is a distressing development and Medibank unreservedly apologises to our customers,” the company said in a statement.

“As we continue to investigate the scale of this cybercrime, we expect the number of affected customers to grow as this unfolds.

“Given the distress this crime is causing our customers we will also defer premium increases for Medibank and ahm customers until 16 January 2023.”

Medibank said that because of the complexity of the data it has received, it’s too early to know the full extent of the customer data that has been stolen.

The company has nearly 4 million customers nationally.

Medibank, which is Australia’s largest private health insurance provider, said it had received a file of 1,000 further policy records from the hacker, including personal and health claims data. Last week it received a file containing 100 ahm policy records.

It also flagged an announcement later on Tuesday for a comprehensive customer support package, which will include 24/7 mental health and wellbeing support; support for customers who are in uniquely vulnerable positions; and access to specialist identity protection advice with IDCARE for all customers.

Medibank shares are suspension until either a further announcement on Tuesday or the start of normal trading on Wednesday. Picture: NCA NewsWire / Paul Jeffers

“I unreservedly apologise to our customers who have been the victims of this serious crime,” chief executive David Koczkar said.

“As we continue to uncover the breadth and gravity of this crime, we recognise that these developments will be distressing for our customers, our people and the community – as it is to me.

“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community.

“We continue to work closely with the agencies of the federal government, including the ongoing criminal investigation into this matter. We thank them for their ongoing support and assistance.”

As reported on Monday, the criminal behind the Medibank data hack bought login credentials to gain access to the network from an online Russian criminal forum and did extensive reconnaissance before collecting the data, which experts estimate would have lasted months.

Medibank last week revealed it had up to 200 gigabytes of data stolen from its servers, including customers’ intimate health information and even the location of treatments.

Home Affairs Minister Clare O‘Neil said the latest Medibank development was “deeply concerning” and she had been in contact with Medibank and top security agencies from the very beginning.

“The Australian government recognises that this incident is very stressful for affected Australians,” she said.

“The toughest and smartest people in the Australian Government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into what could be irreparable harm to some Australian citizens.”

Ms O’Neil said she had been “in constant contact” with Medibank’s chief executive and the heads of the Australian Signals Directorate and the Australian Federal Police since she was first informed of the cyber incident.

“Medibank is cooperating with government in responding to this incident,” she said.

Clare O’Neil. Picture: Martin Ollman/Getty Images

“Significant support has been provided by the Australian Signals Directorate’s Australian Cyber Security Centre, the Australian Federal Police and the Department of Home Affairs.”

Ms O’Neil said the incident was “another reminder for Australian governments, businesses and citizens to be vigilant about their cyber safety”.

Opposition spokesman for cyber security James Paterson says Medibank customers would be “very distressed” by confirmation their information could have been stolen in a cyber attack. He said that “despite the company’s initial denials, customers worst fears have now been realised”.

“After a slow and confused response to the Optus cyber attack, it is concerning that it took the Cyber Security Minister Clare O’Neil a week to publicly respond to the Medibank hack,” he said.

“Ms O’Neil should explain why she accepted the company’s initial denial this was serious, delaying government engagement by a week.

“Medibank victims have every right to know what steps the Albanese government took, and when,” he said.

“The government should release a clear timeline of the actions they took following the initial disclosure of the attack on October 13.”

Director of the Australian Institute’s centre for responsible technology Peter Lewis said it was clear from the Optus and Medibank attacks that there needed to be broader privacy reforms.

Labor last week announced massive increases to maximum fines for companies who were involved in serious cyber breaches, from $2.2 million to at least $50m.

But Mr Lewis said reform needed to go further than “just penalties”.

“We need to look at whether these organisations even hold this information in the first place, and whether we can look at some form of personal or government control,” he said.