(844) 627-8267
(844) 627-8267

Medibank hit with $250m penalty after hack | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


Financial regulator APRA said Medibank still had “further work to do” to beef up its cybersecurity and data management after a breach last October saw up to 9.7 million Australians lose their personal medical details.

Former National Cyber Security Adviser Alistair MacGibbon says Medibank and Optus’ cyber incidents showed the importance of cyber security and data protection last year.

The regulator released a statement announcing the move on Tuesday, saying its decision was reflected “weaknesses identified in Medibank’s information security environment.”

As a result, the health insurer will be forced to hold an additional $250 million in capital funds until it can complete a more detailed remediation plan.

This means Medibank will essentially be unable to use more than half the capital it held before the penalty, preventing it from spending the funds on expenditure or investment.

Financial regulator APRA said Medibank still had “further work to do” to beef up its cybersecurity and data management after the breach last October saw up to 9.7 million Australians lose their personal medical details. Picture: NCA NewsWire/Christian Gilles

In addition, APRA announced it would also undertake a “targeted technology review” of Medibank, focusing on its governance and risk culture.

APRA Member Suzanne Smith said the penalty was aimed at pushing Medibank to speed up its plans to address fallout from the breach as well as serving as a reminder the regulator would respond “strongly” to future incidents involving other companies.

“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” she said.

“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.

“As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate.”

Medibank is already facing several class actions over last October’s cyberattack which saw about 9.7 million Australians have their personal medical information compromised, and in some cases posted online.

The country’s big four banks will undertake training exercises to deter potential cyber-attacks.

Some analysts have estimated the cost of the clean-up from the breach, including damages from lawsuits, could amount to as much as $150 million.

Responding to the penalty, Medibank CEO David Koczkar said the company remained “strong” and is was continuing to work on improving outcomes for customers in the aftermath of the hack.

“Safeguarding customer data is a responsibility Medibank takes very seriously,” he said.

“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further.

Responding to the penalty, Medibank CEO David Koczkar said the company remained “strong” and is was continuing to work on improving outcomes for customers in the aftermath of the hack. Picture: NCA NewsWire/Nicki Connolly

“Our company remains strong and well capitalised.

“We continue to support our customers through the Medibank Cyber Response Support Program, which includes mental health and wellbeing support, identity protection and financial hardship measures.”

In a statement, Medibank added the company had “significant existing capital” to compensate for the penalty.

It said unallocated capital would remain at June 30 2022 levels of $148 million, which meant it would not at this stage reduce its target health insurance required capital ratio.

The health insurer believes the penalty is unlikely to affect its day to day operations, although new regulations for the industry set to come into force on July 1 will increase its need for capital further.

Loading embed…

Medibank added it would continue to provide APRA with its “full support” as it works closely with the regulator to finalise and implement its remediation program.

APRA also noted the company had consistently worked with the regulator in an “open, constructive and cooperative way” as Ms Smith called on other firms to maintain a close watch on their operations to avoid a similar incident.

“Since launching the 2020-2024 Cyber Security Strategy APRA has repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures,” she said.

“Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management.”

——————————————————–


Click Here For The Original Story From This Source.

National Cyber Security

FREE
VIEW