Medibank slammed with $250m penalty
Aftershocks of the earthquake cyber attack that impacted Medibank last year have continued to rock the health insurance provider, with APRA forcing the insurer to hold an extra $250 million in capital.
Editor’s note: Part of this story originally appeared on Lawyers Weekly’s sister brand, Cyber Security Connect, which is covering the Medibank data breach as well as other cyber incidents impacting Australian businesses, organisations and government departments. To read more, click here.
The additional cost comes as a result of weaknesses in the health insurer’s security. To lift the hold, Medibank will be required to present a more detailed remediation plan to be approved by APRA.
In addition, APRA will ensure the health insurer’s systems are up to scratch with a “targeted technology review” that will focus on governance and risk culture.
“APRA notes that while Medibank has already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management,” said APRA in a release issued on Tuesday (27 June).
“Where appropriate, APRA will take further action to ensure entities address gaps and weakness in controls.”
Medibank chief executive David Koczkar responded to the APRA announcement, stating that customer security remains a key concern for the organisation.
“Safeguarding customer data is a responsibility Medibank takes very seriously.
“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further. Our company remains strong and well capitalised,” he said.
“We continue to support our customers through the Medibank Cyber Response Support Program, which includes mental health and wellbeing support, identity protection and financial hardship measures.”
Despite the additional $250 million, Medibank said it has enough unallocated capital to meet the new costs and that afterwards, it would still have $148 million left, the same figure that it gave in its 2022 full-year results.
On 13 October 2022, Medibank confirmed to the market that it had detected “unusual activity” on its network, before disclosing that customer data had been accessed and stolen, affecting as many as 9.7 million current and former Medibank, ahm, and international student customers. The attack was launched by the Russian REvil hacking group, which demanded $15.6 million in ransom for the release of the data.
Despite not paying the ransom, a move supported by the Australian government, Medibank is facing a much higher price tag. Alongside the capital APRA requires the health insurer holds, Medibank is facing at least four consumer and shareholder class action lawsuits.
According to The Australian, analysts of the attack have said that the total price tag for Medibank outside of held capital could be as high as $150 million.
The Medibank breach followed “potentially the most serious privacy breach in Australian history”; whereby potentially millions of Optus customers had their names, dates of birth, phone numbers and email addresses stolen by cyber criminals, as well as license and passport numbers in some cases.
Both data breaches prompted numerous class actions, which you can read about here and here — and smaller firms were warned that they were “sitting ducks” and were advised to become more diligent.
Then, in May this year, HWL Ebsworth — which has nine offices across the country and the biggest partnership of any law firm in Australia — confirmed that a Russian-backed ALPHV ransomware group, also known as BlackCat, hacked into an employee’s personal computer and allegedly stole more than four terabytes of data from the firm’s Melbourne server, including client and staff documents.
While it is not yet known the full impact of the HWLE data breach, HWL Ebsworth partner Andrew Miers confirmed in an affidavit submitted to the Supreme Court of NSW that HWLE has, so far, incurred over $250,000 in costs to conduct a comprehensive review into the leaked data — and that that cost is only expected to grow.
This came after IP services group IPH Limited (ASX: IPH) detected unauthorised access to a portion of its IT environment in mid-March. It subsequently halted trading and launched an investigation into the breach.
The cyber attack was on two of the intellectual property law group’s member firms: Spruson & Ferguson (Australia) and Griffith Hack. That data breach was later revealed to have cost the firm an estimated $2 million to $2.5 million, as reported by Lawyers Weekly at the time.
Following this breach, law firms of all sizes were advised to take note of the breach and take proper precautions to protect themselves from cyber criminals — such as implementing protective measures, like cyber insurance and taking a closer look at their positive security obligations. This is especially relevant in light of the HWLE breach — but the 2023 State of Cyber Maturity for Australian Law Firms report, released in April this year, found that 51 per cent of Australian law firms are not confident in their ability to detect and respond to cyber threats.