Fraud Management & Cybercrime
,
Geo-Specific
,
Ransomware
Australian Insurer Expects Years of Litigation Related to 2022 Hack
Australia’s largest provider of private health insurance says it expects to spend a total of AU$126 million, or $84.78 million, over a three-year period to upgrade its IT security following a ransomware incident in 2022.
See Also: Demostración Del Producto: Backup Y Recuperación De VM
Medibank said in a fiscal year-end statement that it spent nearly AU$40 million in the 12 months ending in June to upgrade its IT systems. Chief Financial Officer Mark Rogers told investors during an earnings call Thursday that Medibank expects about the same amount this year.
Medibank’s statement follows the Office of the Australian Information Commissioner suing the company in court over alleged data privacy violations that compromised the personal and sensitive health information of up to 9.7 million current and former customers.
Medibank “failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” said acting Information Commissioner Elizabeth Tydd.
A Russia-based cybercriminal group hacked Medibank in October 2022 and in December of that year dumped onto the dark web what it said was a 5-gigabyte copy of the entire stolen dataset. The hack affected 9.7 million current and former customers, including 1.8 million foreigners residing in Australia. The United States, Australia and the United Kingdom earlier this year sanctioned a Russian man they said was behind the hack, stating that the man, Aleksandr Gennadievich Ermakov, was likely linked with defunct Russian cyber extortionist gang REvil (see: Australia, US, UK Sanction Russian Over 2022 Medibank Breach).
The Australian Information Commissioner told the Australian court that Medibank’s cybersecurity budget was just AU$1 million in 2022 despite revenue of AU$7.1 billion.
International legal practice Dentons said Medibank theoretically faces a civil penalty of a maximum of AU$21.5 trillion, considering that the Privacy Act gives the Federal Court of Australia the power to impose a civil penalty of up to AU$2.22 million for each contravention. “It is highly unlikely that any award of a civil penalty would even be in the vicinity of that amount, but it does signal the sheer gravity of the case,” the firm said.
In June 2023, the Australian Prudential Regulation Authority, the country’s financial regulator, ordered Medibank to set aside AU$250 million, or $167 million, as additional capital to reinforce its information security systems after a review revealed weaknesses in the insurance giant’s information security environment.
APRA said the revised capital adjustment requirement will remain until Medibank completes an agreed remediation program and clears APRA’s targeted technology review of its risk governance practices. Medibank CEO David Koczkar said at the time that the company remained “strong and well capitalized” and would continue to enhance systems and processes to provide better security to customers.
Rogers told investors Thursday that the insurer expects to face further data breach-related costs beyond FY 2025, but those expenses will mostly cover litigation costs. Medibank also faces several class-action lawsuits from shareholders and affected customers that may result in significant payouts (see: Australian Law Firms Cooperate in Medibank Litigation).
The company said it earned a net revenue of AU$8.1 billion during its fiscal 20214, up 4.7% from the previous year, and made about AU$700 million as operating profit, up 7.9%.