Attorney-General Mark Dreyfus is seeking to legislate significantly increased penalties for “serious or repeated” data breaches and to give the Information Commissioner sweeping powers amid concern that current laws are “hopelessly outdated”.

The Australian understands the government on Tuesday was moving to fast-track its privacy laws into the lower house as early as Wednesday morning in response to Medibank’s “distressing development” that its cyber ­attack affecting consumer data was much wider than originally thought.

A fortnight after a major telecommunications data breach at Optus, the insurance provider was forced to defer its premium increases following the cybercrime event, which included theft of data from its Medibank brand.

Previously, the company believed only data from its sub-brand ahm and insurance for international students had been taken. The deferments could cost the company more than $50m.

Medibank chief executive David Koczkar said the company was operating under the possibility that all four million of its customers – as well as millions of former consumers – could have been affected by the breach.

Medibank does not know how many former customers’ records have been kept but is required by law to retain the health information of adults for at least seven years, and children’s details until they reach the age of 25.

“We are dealing with a very ­serious criminal act and we are now operating with the knowledge that there is data that has been stolen which includes customer data from Medibank,” Mr Koczkar told The Australian.

“To me, there is no doubt this attack has been very deliberate, and done to cause maximum fear and damage to our vulnerable members of our community.

“We must operate with the ­potential that this could impact all of our customers.”

Medibank has been receiving regular briefings from the Australian Federal Police and has launched a detailed review into the incident.

Mr Koczkar pledged to bolster the company’s systems to protect against further cyber attacks.

“We all agree that cyber crime is an ever-present threat and I have committed to sharing the learnings of that review so we can be better armed in the future to protect these types of crimes,” he said.

The government is seeking to pass legislation that would increase the maximum fine for serious breaches from $2.2m to at least $50m.

Under the new laws, companies would also be fined three times the value of “any benefit obtained” through the misuse of information, or 30 per cent of their adjusted turnover over the period the breach was conducted.

Home Affairs Minister Clare O’Neil said the government was extremely concerned about the attack, given the personal nature of the stolen health data, and the damage could be “irreparable”.

Speaking to the House of Representatives, Ms O’Neil said the cyber criminals responsible for the theft were “a dog act, scum of the earth, lowest of the low ­territory”.

The federal government has activated its National Co-ordination Mechanism to streamline its response to the attack, bringing together agencies across federal and state governments to ensure swift support is provided to vulnerable groups.

The crisis body was set up by the former government as a ­response mechanism to deal with the most “difficult and ­complex” aspects of pandemic management.

“Australians who are struggling with mental health conditions, drug and alcohol addiction, with diseases that carry some shame or embarrassment, they are entitled to keep that information private and confidential,” Ms O’Neil said.

“Cyber criminals are the thugs of the 21st century, the bag snatchers and armed robbers.

“We need to do more to step up as a country. This government is doing everything it can to protect Australians against this breach.”

Medibank on Tuesday was forced to roll out a comprehensive customer support package in response to the attack, including 24/7 mental health and wellbeing support, support for vulnerable customers and access to specialist identity protection advice.

The company is in a voluntary trading halt due to end on Wednesday morning.

On Monday, the company revealed the criminal behind the data hack bought login credentials to gain access to the network from an online Russian criminal forum and did extensive reconnaissance before collecting the data, which experts estimate would have lasted months.

A credential broker – which refers to a type of criminal who steals and sells credentials – stole a Medibank login with a high level of access to the health insurer’s network, before advertising the information on a Russian language criminal forum.

A second criminal bought the data, which they used to access Medibank, and began collecting intelligence on the structure and function of the network.

It is not known how long the criminal who bought the Medibank login was on the network, with investigations by the AFP and Australian Signals Directorate still ongoing.

Opposition cyber security spokesman James Paterson called on the government to release a timeline detailing the ­actions it took following the ­initial attack on October 13.

Additional reporting: Sarah Ison, David Swan

More Coverage

Medibank breach widens in ‘distressing development’

David Swan

Separate criminals had hand in hack

SARAH ISON, JARED LYNCH

More related stories

Politics

UK to China: it’s all the way with Aussie allies

British PM Keir Starmer’s top security officials have elevated ­defence and AUKUS as ‘bedrocks’ of the relationship with Australia, as Britain sent one of its carrier groups to dock in Australia for the first time in decades.

Read more

Politics

‘Guarantees’ needed first: PM cools on Palestine statehood

Anthony Albanese has sought to distance himself from recognising Palestine now despite pressure from Labor’s Left, as he stresses Hamas can ‘have no role’ in a Palestinian state.

Read more