Medibank sued after 9.7m Aussies have data stolen in Russian cyber attack
Medibank is being taken to court after the personal information of 9.7 million Australians was stolen in a cyber attack.
Health insurance giant Medibank is being sued by the information watchdog after the personal information of 9.7 million Australians was stolen.
The Australian Information Commissioner announced on Wednesday it had filed civil penalty proceedings over the October 2022 data breach.
Sensitive information, including names, date of births, and Medicare numbers, was stolen in the cyber attack; much of it leaked online.
In a statement, the Commissioner alleged Medibank had failed to take reasonable steps to protect the information from misuse from March 2021 until the attack.
“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” acting Commissioner Elizabeth Tydd said.
“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.”
The civil proceedings followed an investigation launched by the OAIC into the attack, which affected both current and former members, as well as subsidiary AHM.
Under Australian Privacy Principles, Medibank is required to take reasonable steps to protect the information it holds, including from unauthorised access.
The OAIC may apply to the Federal Court for a penalty order if an entity is alleged to have “engaged in serious or repeated interferences with privacy”.
If found guilty, Medibank could face a civil penalty of up to $2.2 million for each contravention, though such an order is only made by the court.
According to OAIC, Medibank generated a revenue of $7.1 billion and an annual profit of $560 million in the financial year ending June 2022.
In January, Foreign Minister Penny Wong announced sanctions against Russian man Aleksandr Ermakov over his alleged role in the breach.
The sanctions were the first under cyber security legislation passed in 2021 and came after an investigation by both the AFP and ASD.