Hackers demanding a $10 million ransom have drip-fed sensitive health information about Medibank customers on the dark web over the past week. The hackers also stole data on Medibank employees,including mobile and work device numbers.
Medibank has said it will not pay the ransom,in line with government policy. The company has said the incident will cost it up to $35 million,but this figure excludes the potential costs of litigation which could increase the hit to shareholders significantly
Bloomberg Intelligenceanalysts have estimated that ther hack could ultimately cost Medibank $700 million if customers sue for damages. And this figure could hit $960 million if 10 per cent of affected customers join either of the class-actions and are paid the maximum $20,000 in damages,it said.
Medibank said it would not speculate on potential litigation,or what it might cost. “We are aware that several law firms are investigating a potential class action in relation to the recent cybercrime event. While one of those law firms has made preliminary contact regarding investigation into a potential class action,Medibank has not been served with any class action proceedings.”
“The cybercrime event continues to evolve and at this stage,we are unable to predict with certainty the impact of any litigation related costs. We will continue to keep shareholders informed,as appropriate,consistent with our continuous disclosure obligations.”
The company is facing at least two class actions,one from Bannister Law Class Actions and Centennial Lawyers and another from Maurice Blackburn,which has confirmed it was reviewing whether customers affected by the hack could beentitled to compensation.
Medibank on Sunday said four new files containing 1,496 records were released on the dark web over the weekend,of which 123 records had already been released. The company is analysing the material to determine its accuracy,as previous files released by the hackers have not matched its records.