Medibank hit with penalty over data breaches

Medibank’s infamous data breach in October last year was one of the biggest Australia has ever witnessed. Now, Medibank has been hit with a penalty for not having adequate security measures.

Over 9.7 million people were affected by the leak, with private medical information posted on the dark web. The culprits were identified as a Russian hacking group, which demanded a $15 million ransom, which Medibank refused.

The Australian Prudential and Regulation Authority (APRA) has now hit Medibank with a $250 million increase to its capital adequacy requirement in relation to the attack, claiming the company’s security was not up to standard.

“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” said APRA member Suzanne Smith.

“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.”

The capital adjustment will come into effect on 1 July and, according to APRA, “will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework. It will remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction. APRA will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture.”

Ms Smith continued: “As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate. I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities.

“Since launching the 2020–2024 Cyber Security Strategy, APRA has repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures. Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management.”

This consequence is a reminder to organisations to keep their security systems in check. Not only does adequate cyber security help to keep incidents like this from occurring, but it also adds an extra element of comfort for employees and consumers.

Jack Campbell

Jack is the editor at HR Leader.