The Medibank cyberattack could prove costly for Australia’s largest private health insurer and its shareholders, as the company continues to reel from a breach described as more sophisticated than last month’s damaging hack of Optus.
Investment analysts say the hack is likely to hurt Medibank financially, but it is too early to tell if the breach will lead to significant brand damage for the company or claim management scalps.
“We assume this will be costly for Medibank on multiple fronts,” said Morningstar analyst Nathan Zaia in a research note on Friday.
Medibank has confirmed that the hackers have accessed sensitive customer data.Credit:Chris Hopkins
This could include the ramp-up in costs associated with hiring call-centre staff to deal with inbound calls, beefing up cybersecurity and the cost of Medibank’s ongoing investigation. Lost growth momentum and “potential litigation from customers who have had their sensitive medical histories leaked” could also hit the company financially, he said.
While the cyberattack happened on October 12, Medibank did not receive a ransom note until October 19. The communication included an attachment with data on 100 customers as proof of the hack.
“We want to talk with your company about demand, and also attach part of your personal data to prove. By the way we’re ready to send you more proves,” said the ransom note, which has been seen by this publication.
Marcus Thompson, a former head of the Australian Defence Force’s information warfare division, said the hack implied “a more polished threat actor” than those involved in the Optus attack, when $1.5 million was demanded and then recanted.
By Thursday, Medibank publicly confirmed that the sample of data on 100 customers was authentic, and warned that it expected the number of affected customers to grow substantially in coming days.
The sample data comes from Medibank’s cheaper ahm brand and its international student services, which have about 1 million customers combined. The data includes names, addresses, dates of birth, Medicare numbers, contact information plus sensitive health information.
The hackers claim to have stolen 200 gigabytes worth of data including customer credit card information and sensitive health records. Staff from the Australian Federal Police and Australian Signals Directorate, the nation’s cyber agency, are embedded in Medibank and investigating the breach to try to stop the data getting released more widely.
Based on the hackers unverified claims to possess 200 gigabytes of data, Morningstar’s Zaia said tens of thousands of policyholders could be affected.
“Assuming this [data] includes verification documents of a few megabytes each, we estimate this amount of data could easily encompass 30,000 policyholders,” Zaia said.
With limited information, it is hard to assess the adequacy of Medibank’s cyber protection, and whether it acted quickly enough, and hence, whether it would “incur material brand damage, fines, and management scalps”, his report said.
Despite the publicity, Zaia and analysts at Jefferies expect the fallout to be limited in terms of customer impact.
“We expect a period of disruption to slow policyholder growth but not a mass exodus of customers or a material step-up in the cost base,” Zaia said.
According to Reuters, Jefferies analysts say affected customers will be concerned and more likely to switch to Medibank’s competitors than those unaffected, but the relative cybersafety of Medibank’s peers would be hard to assess as they are largely unlisted.
NIB group is the only other ASX-listed private health insurer.
Medibank requested a voluntary suspension from trading on Friday, while it continues to investigate the hacking incident. The suspension expires on October 26.
Medibank shares last traded on Wednesday at $3.50.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
Most Viewed in Business
From our partners
Source: Read Full Article