Medibank Faces $250 Million as Penalty for Data Breach

Penalty for Data Breach

Medibank’s travails after being hit by cybercriminals do not seem to be ending. APRA, The Australian Prudential Regulation Authority, has asked the insurer to hold another $250 million in capital as security. This is a punishment meted out to Medibank for failing to prevent the breach from occuring. The requirement for Medibank to hold capital will increase by $250 million in July 2023. Medibank needs to cough up this amount as security capital to compensate for the weaknesses in its digital infrastructure. And to avoid this penalty, Medibank needs to present a detailed, APRA-approved remediation plan.

Further, APRA will conduct a targeted technology review of Medibank’s systems to help the insurer focus on governance and risk culture. According to a release issued by APRA, “while Medibank has already addressed the specific control weaknesses that permitted unauthorised access to its systems, it still has work to do across a number of areas to further strengthen its security environment and data management.”

Medibank Assurance of Being Well Capitalised

The Chief Executive of Medibank, David Koczkar, responded to the APRA statement by stating that the area of customer security remains a key concern. David further stated that Medibank has strengthened its systems and processes to provide customers with the security they deserve. The insurer continues to work towards enhancing its systems and processes even further. The health insurer remains strong and well capitalised.

Medibank has assured everyone that it has enough capital to meet the new costs even after parking the additional $250 million as a penalty. It claims to have $148 million after meeting its new costs. The hacking story of Medibank goes back to October 2022, when it confirmed to the market that it had detected “unusual activity” on its network. It later admitted to its data being breached, affecting about 9.7 million accounts. Incidentally, the cyberattack was launched by the infamous Russian hacking group REvil, which demanded $15.6 as a ransom. Although Medibank did not pay any ransom, it faces financial costs in the form of four class action lawsuits. As per The Australian, the price tag for the health insurer could be as high as $150 million.

Growing Incidents of Cyber Attacks

The data breach at Medibank was followed by another more serious one at Optus, the telecom giant. With the Optus breach, cybercriminals stole millions of pieces of data in the form of names, phone numbers, dates of birth, and email addresses. Both data breaches were followed by numerous class action suits launched by consumers and shareholders.

If these two were not enough, HWL Ebsworth, the law firm in Australia, was attacked by a Russian-backed ransomware group. Known as BlackCat, the group hacked into the personal computer of an employee and ended up stealing more than four terabytes of data. Although the exact cost due to this breach is not known, the law firm has spent more than $250,000 to conduct a review of the leaked data.

According to Manish Chaudhari, CISCO of Cybernetic Global Intelligence, a globally accredited cybersecurity company, the high costs of data breaches can leave most companies bleeding and going out of business. The only remedy is to have IT security consulting and implement strong cybersecurity protective measures. These may include complying with regulatory standards such as PCI DSS QSA, ISO 27001, APRA CPS 234, ACSC Essential Eight, and many more.

How Can Businesses Prevent or Mitigate cybercrime?

Cybercriminals are getting smarter with the use of sophisticated technologies and techniques. This necessitates businesses to up their game and be a step ahead of cybercriminals. To enhance their cybersecurity posture, businesses can undertake the following measures:

Strengthening security: This entails implementing strong passwords, employing multi-factor authentication, and keeping software up-to-date.

Addressing vulnerabilities: Regularly scanning networks for vulnerabilities and promptly patching any identified security weaknesses is essential.

Providing workforce training: Employees should be educated on identifying and reporting phishing emails, social engineering attacks, and other cybersecurity threats.

Complying with industry regulations: Adhering to relevant industry regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), is crucial.

If a business enterprise lacks the resources or expertise to establish and maintain a robust cybersecurity programme, engaging the services of a cybersecurity company like Cybernetic Global Intelligence can be advantageous. As a globally accredited cybersecurity firm, Cybernetic Global Intelligence offers a range of services to assist businesses in improving their cybersecurity infrastructure and responding to cybercrime incidents. These services include:

Managed security services: Providing continuous monitoring and threat analysis to enable businesses to detect and respond to cybersecurity threats 24/7.

ISO 27001 certification: Assisting businesses in attaining ISO 27001 certification, an internationally recognised standard for information security management.

Risk assessments and security audits: Identifying and mitigating known cybersecurity risks and vulnerabilities through comprehensive assessments and audits.

Red team testing: Simulating cyberattacks to identify weaknesses in a business’s cybersecurity infrastructure.

PCI compliance consulting: Guiding businesses to achieve PCI compliance, a requirement for entities accepting credit cards.

Penetration testing: Identifying and addressing vulnerabilities that cybercriminals could exploit.


Australian companies are paying the price for being lackadaisical with their approach to cybersecurity. Recent incidents of cyberattacks have compelled the Australian government to enact comprehensive cybersecurity legislation. Ravin Prasad, CEO of Cybernetic Global Intelligence, emphasises that businesses have no choice but to bolster their cybersecurity posture. Engaging the services of top-tier cybersecurity companies like Cybernetic Global Intelligence can help achieve this objective. For further information on safeguarding your business against potential cybersecurity threats, please contact 1300 292 376 or email

Post a Comment