Australia beefs up scrutiny of Medibank following data breach

Financial services regulator says it has "intensified" its supervision of Medibank following a data breach that impacted 9.7 million customers and believed to be the work of Russian hackers.
Written by Eileen Yu, Senior Contributing Editor

Australia is beefing up its scrutiny of Medibank and will assess if further regulatory action is necessary, following a data breach that impacted 9.7 million customers. The insurance group also has pledged to share the outcome of an external review into the breach, which is believed to be the work of Russian hackers. 

Noting that the breach raised concerns about the robustness of Medibank's operational risk controls, the Australian Prudential Regulation Authority (APRA) said Monday it had "intensified" its supervision of Medibank. Consulting firm Deloitte had been brought in to examine the security incident as well as Medibank's response and effectiveness of its controls. 

The financial services regulator said it would determine if further regulatory action was necessary when findings of the external review were established. 

APRA Member Suzanne Smith said: "APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate."

The government agency added that it would further intensify supervision of all entities that failed to comply with the country's Information Security Prudential Standard CPS 234, which outlined measures they must take to remain resilient against cybersecurity incidents. 

"Recent cyber attacks reinforce the need for ongoing vigilance and focus by boards on operational resilience," Smith said. "They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it? 

"Cybersecurity is a highly significant risk area for all regulated entities and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community," she added. 

In response, Medibank CEO David Koczkar said Monday it had been in consultation with APRA on the scope of the external review, which it had commissioned Deloitte to undertake. 

"We will share the key outcomes and consequences of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police (AFP) investigation," Koczkar said. 

The police earlier this month said hackers based in Russian were responsible for the breach, adding that it was working on "covert measures" with its international networks, including the Interpol."

AFP Commissioner Reece Kershaw said: "Our intelligence points to a group of loosely affiliated cybercriminals, who are likely responsible for past significant breaches in countries across the world. These cybercriminals are operating like a business with affiliates and associates who are supporting the business. We also believe some affiliates may be in other countries."

Adding that his team knew but were not revealing the identifies of the people behind the attack, Kershaw said ongoing investigations were focused on all parties involved. "What I will say is that we will be holding talks with Russian law enforcement about these individuals," he said. 

AFP has oversight of the Australian Interpol National Central Bureau, which has direct contact with National Central Bureau Moscow. 

Kershaw noted that Interpol National Central Bureaus could ask for cooperation from any other National Central Bureau in investigations that went beyond local borders. "It is important to note that Russia benefits from the intelligence-sharing and data shared through Interpol, and with that comes responsibilities and accountability," he said.

Medibank has posted updates on data compromised in the breach that have popped up on a dark web forum. In a November 20 statement, it confirmed another four files containing 1,496 records were released online, including 123 records from files previously released by the hackers. 

Koczkar said the company would not pay any ransom, based on the advice of cybercrime experts and belief there was only a limited chance doing so would prevent its customers' data from being published. "Paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm's way by making Australia a bigger target," he said. 

The Australian government this month passed a legislation to increase financial penalties for data privacy violators, pushing up maximum fines for serious or repeated breaches to AU$50 million ($32.34 million), from its current AU$2.22 million, or three times the value of any benefit obtained through the data misuse, or 30% of the company's adjusted turnover in the relevant period, whichever is greater. 


Editorial standards