Medibank bleeds $26 million in cyber costs following hack

Medibank has revealed that it has suffered $26.2 million AUD (£14.7 million) in cyber crime-related costs following the hack of its systems in the second half of 2022.

It expects its cyber crime costs to be around $40-$45 million for the 2023 financial year. This involves additional investments in IT security, but excludes further customer and other remediation, regulatory, or litigation-related costs.

According to IBM's figures in 2022, the average cost to an Australian organisation following a ransomware attack was $4.5 million, putting Medibank's losses considerably above the average.

The attacker accessed its systems through a stolen username and password belonging to a third-party IT service provider, Medibank revealed. This was used to access the company’s network through a misconfigured firewall which lacked an additional digital security certificate.

The company said the attacker then went on to obtain more usernames and passwords to access other systems. Since the company was alerted to the attack on 11 October, it confirmed that it hasn’t detected any additional criminal activity on its systems since 12 October.

“We recognise the significant impact the cyber crime event has had on our customers. We will continue to support them through our Cyber Response Support Program, which includes mental health and wellbeing support, identity protection, and financial hardship measures,” said David Koczkar, CEO at Medibank.

“There is more work to do, and the lessons we have learnt from the cyber crime will continue to shape our response and we will emerge stronger.”

Since the attack, the company said it has implemented greater security controls, including ensuring its firewall authentication is fully configured across its entire network.

It has also improved its network monitoring and added further detection and forensics capabilities to help defend against the 18 million perimeter attacks it experiences every day.

An unknown hacker targeted Medibank in October 2022 and threatened to release stolen data unless the company paid a ransom.

Data belonging to 9.7 million former and current customers was exposed, which was believed to include information like health claims data and passport numbers. At the time, the company thought the hack could set it back by $25-$35 million, especially since it didn’t have cyber insurance.

Medibank delivered its most detailed account of the 2022 attack in its half-year earings report released on Thursday.

It reported a gross profit of $233.3 million, an increase of 5.9% compared to the previous half-year. Over the past year, the company has gained around 35,000 customers, despite losing 13,000 clients following the attack in the second half of 2022.