“Information just keeps slowly leaking out,like no one really knows. But it does indicate that these large companies - that should be spending a lot of money on cyber and protecting customers - don’t seem to be. Meanwhile,they’ll turn up at the AGM and argue why,you know,the executives get paid truckloads of money.”
Medibank told analysts and investors on a conference call this morning it had closed off holes where it had found a breach,but wouldn’t guarantee that the hacker no longer had access to its systems.
“It’s an ongoing forensic analysis,” said Medibank’s technology chief John Goodall. “Everywhere we’ve identified a breach,it’s now closed.”
In light of the crippling attack,management has withdrawn forecasts for policyholder growth and said it would update the market later in the year. The company estimates that it will have to spend $25 million to $35 million to improve its cybersecurity,contact customers and investigate the breach in the first half of the 2023 financial year. But the company confirmed that it lacks cyber insurance and flagged that it could not quantify the overall cost of the incident. Potential risks include regulatory action,customer remediation and lawsuits.
Koczkar said he “apologised unreservedly” to customers.
“Our investigation has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data,” he said in a statement.
The company is now focused on establishing exactly what health claims data,and for which customers,the criminal had access to.
“The investigation into this cybercrime event is continuing,with particular focus on what data was removed by the criminal.”
“As we’ve continued to say we believe that the scale of stolen customer data will be greater,and we expect that the number of affected customers could grow substantially.”
Loading
Koczkar declined to say if Medibank has received a ransom demand from the hackers,citing the ongoing investigation by the Australian Federal Police.
He did confirm to this masthead that communications with the hacker have resulted in the company receiving more files of customer data.
“I would say we received a series of files,” he said without clarifying further. “The two files that we’re sure about,that we have talked about,impacts 1100 ahm customers and includes their personal and some health claims data. There are a whole series of other files,some of which don’t include anything,some of which include some personal and health claims data.”
The stolen data is from current and former customers and includes names,addresses,birthdates,Medicare numbers,contact information and claims data from the private health insurer. The list of Medibank customers affected potentially includes high-profile Australians.
Loading
The hackers have also claimed to possess credit card information,although Medibank said there was no evidence - at this stage - that this is the case,but emphasised that its investigations are continuing.
Medibank announced a support package for affected customers,which includes hardship provisions to provide financial assistance to customers who are in a uniquely vulnerable position as a result of this crime. It is also allowing access to Medibank’s mental health and wellbeing support line for all customers,including customers of its budget ahm service.
The group is also giving affected customers access to specialist identity protection advice and resources from IDCARE,free identity monitoring services for customers who have had their primary ID compromised and reimbursements for the “re-issue of identity documents that have been fully compromised in this crime”.