Medibank directed to allocate $167 mn following data breach

In response to a network intrusion and subsequent data breach, Australia’s insurance provider Medibank has been instructed by the country’s banking regulator to allocate an additional $167 million in capital reserves.
MedibankThe Australian Prudential and Regulation Authority (APRA) has identified weaknesses in Medibank’s information security and has demanded that the capital adjustment be implemented from July 1. The adjustment will remain in effect until Medibank completes a remediation program that satisfies the regulator’s requirements.

Suzanne Smith, a member of APRA, stated that the action taken by the regulator aims to expedite Medibank’s remediation efforts. Medibank, in a statement, confirmed that it currently possesses sufficient capital to meet the required adjustment and expressed its commitment to collaborating with APRA to implement necessary remediation measures.

Medibank disclosed last year that a hacker had gained unauthorized access to its systems and stolen the personal information of 9.7 million existing and former customers. The compromised data was subsequently released on the dark web, constituting one of the largest data breaches in Australia’s history. As a result, three separate class action lawsuits have been filed on behalf of affected customers against Medibank in Australian courts.

While Medibank has already addressed the specific vulnerabilities that allowed the unauthorized access to its systems, APRA emphasized that further efforts are needed to enhance the company’s security infrastructure and data management across various areas. To this end, the regulator will conduct a targeted technology review of Medibank, focusing on governance and risk culture.

Australia has witnessed an increase in cyber intrusions since late last year, prompting the government to enact security reforms in February. Additionally, an agency has been established to oversee government investments and coordinate responses to hacker attacks.