This was published 1 year ago
Medibank faces $1 billion bill as hackers release 1500 more sensitive records
By Simone Fox Koob and Colin Kruger
Medibank could face a $1 billion compensation bill from the damaging cyberattack that has affected 10 million customers, as hackers targeting the company released the biggest tranche of sensitive data yet in another attempt to pressure it into paying a ransom.
The ASX-listed private health insurer confirmed on Sunday morning that another 1500 customer records containing sensitive health information had been released on the dark web - the largest release of health data so far in the incident.
Medibank chief executive David Koczkar during the company’s AGM last week. Credit: Luis Enrique Ascui
Hackers demanding a $10 million ransom have drip-fed sensitive health information about Medibank customers on the dark web over the past week. The hackers also stole data on Medibank employees, including mobile and work device numbers.
Medibank has said it will not pay the ransom, in line with government policy. The company has said the incident will cost it up to $35 million, but this figure excludes the potential costs of litigation which could increase the hit to shareholders significantly
Bloomberg Intelligence analysts have estimated that ther hack could ultimately cost Medibank $700 million if customers sue for damages. And this figure could hit $960 million if 10 per cent of affected customers join either of the class-actions and are paid the maximum $20,000 in damages, it said.
Medibank said it would not speculate on potential litigation, or what it might cost. “We are aware that several law firms are investigating a potential class action in relation to the recent cybercrime event. While one of those law firms has made preliminary contact regarding investigation into a potential class action, Medibank has not been served with any class action proceedings.”
“The cybercrime event continues to evolve and at this stage, we are unable to predict with certainty the impact of any litigation related costs. We will continue to keep shareholders informed, as appropriate, consistent with our continuous disclosure obligations.”
The company is facing at least two class actions, one from Bannister Law Class Actions and Centennial Lawyers and another from Maurice Blackburn, which has confirmed it was reviewing whether customers affected by the hack could be entitled to compensation.
Medibank on Sunday said four new files containing 1,496 records were released on the dark web over the weekend, of which 123 records had already been released. The company is analysing the material to determine its accuracy, as previous files released by the hackers have not matched its records.
Treasurer Jim Chalmers described the hackers as “complete grubs” on Sunday morning and said recent cyber attacks had been a wake-up call for both the government and the private sector.
“These people are complete grubs - pure and simple. It is despicable that people are prepared to release the sorts of information that we’ve seen released in recent days,” he said. “It is well beyond the pale to see this kind of private, sensitive information released into the public domain.”
“We need to rebuild our buffers against these kinds of grubby acts, these kinds of despicable acts. The government is prepared to do its bit. I’m confident the private sector is prepared to do its bit as well. We’ve all got an interest in stamping out this despicable, despicable, grubby act of the kind that we’ve seen overnight.”
The hack is the worst in Australian corporate history.
At the company’s annual general meeting last week, Medibank chief executive David Koczkar insisted the insurer was not going to change its decision to reject the ransom demand.
“There is no doubt that rejecting the ransom demand was the right thing to do,” he told investors.
Koczkar said on Sunday morning those who had been impacted were being offered support. The company has increased its customer support team by more than 300 people.
Medibank has also stressed that those named in the data may not necessarily be the person who received the treatment, but may be the policyholder.
The cyberattack was triggered when hackers gained access to the company’s internal systems by stealing the login credentials of an employee or contractor.
The Australian Federal Police has named Russia as the home of the hacking group. Authorities believe the notorious REvil group was involved.
Last week, Medibank chairman Mike Wilkins said the company’s cyber processes were “robust, although clearly not robust enough in this circumstance”.
At last week’s AGM shareholders did not protest the company’s remuneration report and all directors up for re-election were endorsed, in line with advice given by proxy groups.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.