APRA slams Medibank with $250m punishment for cyber breach

The Australian Prudential Regulation Authority (APRA) will force Medibank to hold an additional $250 million in capital from July as punishment for the health insurer’s data breach last year.

The breach resulted in the theft of medical details belonging to nearly 10 million Australians, some of which were posted online after Medibank refused to pay a ransom.

APRA’s punitive measure aims to ensure Medibank strengthens its cyber security and data management practices, demanding the insurer hold additional capital from July.

Following the Medibank hack, non-bank lender Latitude Financial Group had their systems compromised resulting in approximately 7.9 million driver’s licence numbers and 53,000 passport numbers being stolen from Latitude’s customers.

The severity and frequency of cyber attacks in Australia have prompted discussions within the financial services sector, emphasising the need for heightened vigilance and upgraded technical protections.

APRA’s 2020–24 Cyber Security Strategy underlines the importance of increased cyber security measures and ongoing vigilance to identify and address cyber exposures.

However, APRA executive Suzanne Smith said: “Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management.”

Consequently, APRA will take further action to address these gaps and weaknesses in controls.

APRA’s examination of the Medibank incident identified vulnerabilities in the company’s information security environment.

While Medibank has already addressed the specific weakness that led to the breach, APRA asserts that additional measures must be implemented to strengthen security and data management further.

APRA will also “conduct a targeted technology review” to ensure the company’s systems are up to standard.

Ms Smith described the October 2022 cyber incident as one of “the most significant data breaches” ever experienced in Australia.

“APRA seeks to ensure that Medibank expedites its remediation program,” Ms Smith said.

“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.

“APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate.”

As cyber threats continue to evolve, APRA urges all sectors to improve their cyber security practices to safeguard sensitive data and protect individuals’ privacy.

Cyber attack weighs on non-bank’s bottom line

In its 1H23 and FY23 results announcement, Latitude disclosed that it anticipates the total costs to be around $53 million after tax in the first half of the financial year, which includes a $46 million provision.

The incident, which occurred in late March 2023, resulted in the theft of nearly 8 million driver’s licence numbers and hundreds of thousands of passport numbers.

As a result, the impacts of the attack, including an anticipated increase in credit provisions to 4.20 per cent, are expected to lead to a cash net profit after tax (NPAT) in the range of $5 million to $10 million for 1H23.

[Related: Major cyber attack on a bank would be catastrophic: Senator]