Medibank reveals full extent of hack that could cost $35 million
Medibank, one of Australia’s largest health insurers suffered a data breach in early October and, while the magnitude of the breach wasn’t clear at the time, the company has come out to say that the personal information of all its 3.9 million customers was exposed in the breach.
By their estimate, the breach will cost the company about $25-$35 million since the company did not have cyber insurance. This amount does not include additional costs that may be incurred in form of regulatory fines, litigation costs, customer compensation, and further remediation. The hackers said they want a ransom in exchange for not exposing the breached data.
The news also comes at a time when the Australian government is strengthening its rules on data breaches. The government stated that the country’s current laws on data breaches are inadequate and announced that it would be raising the maximum penalty for companies that suffer breaches from $2.22 million to $50 million.
We are unsure of the penalty that will apply to Medibank since the breach happened before the new rules were implemented.
In an update to the Australian Stock Exchange, Medibank revealed that investigations had concluded that the hacker had access to all Medibank, ahm and international student customers’ personal data, and significant amounts of health claims data. Leaked personal information includes names, addresses, dates of birth, some Medicare card numbers and the gender of customers.
Our investigation has now established that this criminal has accessed all our private health insurance customers' personal data and significant amounts of their health claims data,” said David Koczkar, CEO at Medibank. “As we’ve continued to say, we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially. I apologise unreservedly to our customers,” he added.
The company is continuing with investigations to determine the full scope of customer data that has been exposed so that it can contact them and let them know. The insurer has created a support package for customers that are in a ‘uniquely vulnerable position.’ The package includes the provision of mental and well-being support to customers, the provision of specialist identity protection advice and monitoring services, and reimbursement of fees for the re-issue of identity documents for customers that have already been exposed.
This attack is a classic case of a new attack method being used by hackers where they have stopped encrypting company files in exchange for ransom and are instead opting to steal the data and then demanding a ransom in exchange for not leaking the data.