Medibank CEO David Koczkar told the company’s annual general meeting on Nov. 16 that the hack presented an “incredible challenge” but was confident the Medibank team would pull through.
“Based on our current actions in response to the cybercrime event, we currently estimate $25 million to $35 million of pre-tax non-recurring costs will impact earnings in the first half of 2023,” he said.
“These non-recurring costs do not include further potential customer and other remediation, regulatory or litigation related costs.”
Hackers stole the personal information of 9.7 million former and current customers, including names, birth dates, addresses, email addresses, and phone numbers. The Australian Federal Police said the “loosely affiliated” cyber criminals were based in Russia.
Data has released publicly in waves after the health insurance company announced it would not be paying the US$10 million ransom demand.
The company’s decision was consistent with advice from experts and the Australian government that said paying the ransom did not guarantee the return of the data and could encourage criminals to directly extort customers.
“The weaponising of the private data of many Australians—our customers—is malicious,” Koczkar said. “We are steadfast in our resolve to NOT reward this criminal behaviour, nor to strengthen a business model that is based on extortion.”
“This is a watershed moment for our community—a harsh reminder of the new frontier in cybercrime that we all face.”
Medibank Chair Mike Wilkins said the cyberattack overshadowed its operating achievements in the 2022 financial year.
“Notwithstanding the cybercrime attack we have continued to operate and to be there for our customers in order to help them with their health needs,” he said.
Government Looking to Outlaw Cyber Ransom Payments
Meanwhile, new laws that ban local companies from paying ransoms to hackers could be introduced to disincentivise hackers.
Speaking to the Australian Broadcasting Corporation’s Insiders program on Nov. 13, Home Affairs Minister Clare O’Neil said the federal government was considering the move following high-profile attacks on Medibank and major telecommunications firm Optus.
The minister said while short-term successes were needed in cyber security reform in the wake of the data breaches, the government was examining other long-term outcomes.
“There are some really big policy questions that we’re going to need to think about and consult on, and we’re going to do that in the context of the cyber security strategy,” she said.
“We’ll have a look at [making ransom payments illegal].”
Alfred Bui contributed to this article.