Australia’s largest insurer Medibank has sustained a $46.4 million (US$30 million) loss due to a cyber attack, according to the company’s 2023 financial year (FY) results.
Last year, Russian cybercriminals launched a hacking saga against Medibank, stealing personal data from nearly 10 million Australians and posting them on the dark web.
They added that it was expected to cost another $30 million to $35 million in FY24 for an IT security uplift, as well as legal and other costs related to regulatory investigations and litigation.
This, however, does not include the impacts of any potential findings or outcomes from regulatory investigations or litigation.
Following the cyber attack, Medibank lost nearly 13,000 out of about four million policyholders in the December quarter.
However, the company is swiftly recovering, with reported net resident policyholders increasing by almost 11,000 (0.6 percent) and net non-resident policy holders increasing by 78,400 (39.9 percent) in FY23.
The growth mainly came from families, younger people, and those taking out cover for the first time.
“In what was a very challenging year for our customers and our people, policyholder growth is back on track following the cybercrime event,” Medibank CEO David Kiczkar said.
“Health insurance customers have surpassed 4 million for the first time in our 47-year history, and they continue to prioritise their health and wellbeing by using their cover more than in recent years.”
Mr. Kiczkar said while many Australians were scaling back spending in many areas, health has not taken the same hit.
“People are still opting for private health insurance in record numbers,” he said.
“We expect further policyholder growth in FY24 in what will continue to be a highly competitive market.
“We recorded our largest increase in non-resident policyholders in seven years, with policy unit growth of almost 40 percent bringing the total number to nearly 275,000.”
Australia: A Gold Mine For Cyber Criminals
According to the Australian Cyber Security Centre’s 2021-22 report, each data breach incident costs a small business $40,000 on average. The number of attacks had also increased from 13 percent in 2021 to the equivalent of one every seven minutes in 2022.“Australia’s prosperity is attractive to cybercriminals,” the report said.
“Ransomware groups have further evolved their business model, seeking to maximise their impact by targeting the reputation of Australian organisations.
“In 2021-22, ransomware groups stole and released the personal information of hundreds of thousands of Australians as part of their extortion tactics. The cost of ransomware extends beyond the ransom demands, and may include system reconstruction, lost productivity, and lost customers.”
In 2022, Medibank faced legal action from its shareholders for not disclosing alleged cyber security “deficiencies.”
The class action was filed in the Supreme Court of Victoria and served on Medibank.
However, credit card and banking details, as well as data on health claims for dental, physiotherapy, optical and psychology, were not breached, the company said.