Medibank hit by ANOTHER damning blow as stock price plummets – Medibank faces costs of up to $30million after it was revealed it had no insurance to protect itself from a cyber attack that affected almost four million customers.
The private health insurer’s market value plummeted by around $1.7billion on Wednesday as Russian hackers threatened to expose the health records and other sensitive data of millions of Australians.
Medibank hit by ANOTHER damning blow as stock price plummets
The hackers claim to have stolen 200 gigabytes of data and have shown some proof, including medical records.
Federal Cyber Security Minister Clare O’Neil said, ‘The latest advice from Medibank is deeply concerning … the government recognises that this incident is very stressful for affected Australians.’
Federal Cyber Security Minister Clare O’Neil (pictured) said ‘The latest advice from Medibank is deeply concerning’
Ms O’Neil said she had been in constant contact with the health insurer and that the government had provided the resources to tackle the breach.
‘The toughest and smartest people in the government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into what could be irreparable harm to some Australian citizens,’ she told Channel 7.
While the Federal Government is seeking to increase fines for companies who are hacked, Medibank admitted it didn’t have insurance to protect itself in the event of a data breach.
The company’s chief financial officer Mark Rogers said cyber insurance ‘costs went up significantly over the last couple of years – how much coverage you can actually get in terms of the total amount of exposure plus the risk share.’
He said the ability to make a claim had also diminished.
‘So, notwithstanding the fact we didn’t have cyber insurance, I wouldn’t expect … that the majority of costs that we’re currently calling out in the 25 to 35 million (range) would have even been covered.’
Cyber security strategist Jamie Norton said the full extent of the Medibank data breach is probably not yet known, either by the public or the company.
‘What concerns me a little bit is just how long it’s taken and the process and the visibility they have into what’s happened,’ he told ABC radio.
Hackers claim to have stolen 200 gigabytes of data and have shown some proof, including medical records. Pictured is a stock image of a hacker
Mr Norton, who has spent more than two decades managing cyber security, including for the Australian Taxation Office, said companies need to protect themselves financially.
‘There is a significant burden if an organisation gets breached and they don’t have cyber insurance,’ he said.
He said 70 per cent of companies had experienced a ransomware attempt in the last five years.
‘So we’re talking very high numbers, and 80 per cent of those choose to pay the ransom. So it’s a common event,’ he said.
A cyber attack has affected almost four million Medibank customers as the private health insurer’s market value plummeted by around $1.7billion on Wednesday
Mr Norton said the question of Medibank paying a ransom is a vexed one.
‘(It) very much depends on the range of circumstances, notwithstanding that paying the ransom is absolutely no guarantee that the Medibank information on four million Australians is not going to leak out anyway.’
US expat Mitchell Maider told ABC he had been caught up in both the Medibank attack and Optus hacks, despite no longer being a customer of either.
He left Optus seven years ago and Medibank four years ago and doesn’t understand why the companies still have his data.
‘The irony is laughable. They’re an insurance company, a health insurance company. They’re handling people’s sensitive data, including their health records.
‘They should have every protection they can possibly (have) in place,’ he said.
The Optus store on George Street Sydney is pictured on October 7, 2022 with an apology message to its customers after a cyber attack
Mr Maider said companies should be forced to delete data after a customer leaves them.
‘There needs to be a law saying if you’re not with a company any more, like within six months, that they delete your records.
‘It’s just creepy that they kept all of this data.’
The Federal Government has introduced legislation that would increase fines for companies that have serious or repeated privacy breaches.
Under the draft laws, companies can be fined $50million or more.
Federal Attorney-General Mark Dreyfus said the increased fines are needed.
‘As the Optus, Medibank and MyDeal cyber attacks have recently highlighted, data breaches have the potential to cause serious financial and emotional harm to Australians, and this is unacceptable,’ he said.
