Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

APRA slams Medibank with $250m penalty

Aftershocks of the earthquake cyber attack that impacted Medibank last year have continued to rock the health insurance provider, with APRA forcing the insurer to hold an extra $250 million in capital.

user icon Daniel Croft
Tue, 27 Jun 2023
APRA slams Medibank with $250m penalty
expand image

The Australian Prudential Regulation Authority (APRA) has announced that as punishment for the breach, Medibank’s requirement to hold capital will increase by $250 million starting from July as part of the Private Health Insurance (PHI) Capital Framework.

The additional cost comes as a result of weaknesses in the health insurer’s security. To lift the hold, Medibank will be required to present a more detailed remediation plan to be approved by APRA.

In addition, APRA will ensure the health insurer’s systems are up to scratch with a “targeted technology review” that will focus on governance and risk culture.

============
============

“APRA notes that while Medibank has already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management,” said APRA in a release issued on Tuesday (27 June).

“Where appropriate, APRA will take further action to ensure entities address gaps and weakness in controls.”

APRA executive board member Suzanne Smith outlined the authority’s expectations of Medibank in its remediation plan.

“APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate,” she said.

“I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities.”

Medibank chief executive David Koczkar responded to the APRA announcement, stating that customer security remains a key concern for the organisation.

“Safeguarding customer data is a responsibility Medibank takes very seriously,” Koczkar said.

“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further.

“Our company remains strong and well capitalised.

“We continue to support our customers through the Medibank Cyber Response Support Program, which includes mental health and wellbeing support, identity protection and financial hardship measures.”

Despite the additional $250 million, Medibank said it has enough unallocated capital to meet the new costs and that afterwards, it would still have $148 million left, the same figure that it gave in its 2022 full-year results.

Some observers feel APRA's move should be a clarion call for organisations to get their security in order, or face the consequences.

"This action by APRA is a first for the regulator and should be a wake-up call for major organisations to ensure they have stronger cybersecurity controls," Sumit Bansal, VP for APJ at BlueVoyant, told us. "Enterprises are only as secure as their weakest third-party link and unfortunately, when this weakness is leveraged by cybercriminals, it can set off a domino effect of security risks with long-term negative impacts on the company finances, reputation, employee welfare, and customer’s personal data. This is what we are also witnessing with the recent fallout from the data breach with law firm HWL Ebsworth and the third-party transfer platform MOVEit, who experienced a cybersecurity incident that has impacted hundreds of organisations including PwC."

The Medibank cyber attack occurred in October last year, affecting 9.7 million people across Medibank, its budget brand ahm, and international students.

The attack was launched by the Russian REvil hacking group, which demanded $15.6 million in ransom for the release of the data.

Despite not paying the ransom, a move supported by the Australian government, Medibank is facing a much higher price tag. Alongside the capital APRA requires the health insurer holds, Medibank is facing at least four consumer and shareholder class action lawsuits.

According to The Australian, analysts of the attack have said that the total price tag for Medibank outside of held capital could be as high as $150 million.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.