“Where the commissioner considers there is sufficient public interest in an incident, the commissioner may publish a report of the investigation,” the OAIC said.
Law firm Maurice Blackburn lodged a representative complaint with the OAIC the very morning the commission announced its investigation. The firm is alleging Medibank failed in its duties by failing to take steps to protect its customers’ personal information, and any adverse findings by the OAIC will boost the prospects of compensation.
‘We believe that our processes were robust, although clearly not robust enough in this circumstance.’
Medibank Private chairman Mike Wilkins
Bloomberg Intelligence estimates that a compensation claim could easily reach $700 million.
The criminals accessed basic account details of 9.7 million current and former Medibank customers as well as the health claims data for about 160,000 Medibank customers, 300,000 customers of its budget arm ahm and 20,000 international customers.
Greg Austin, a cybersecurity expert with geopolitical think tank the International Institute for Strategic Studies (IISS) says culpability should be an issue for Medibank – as its chairman Mike Wilkins inadvertently admitted at its AGM in November.
“We believe that our processes were robust, although clearly not robust enough in this circumstance,” Wilkins told investors.
Austin, for one, was surprised that the compromised access to just one person’s work credentials at Medibank led to access of its entire database, including employee details.
“Nobody at a bank can get access to all of the bank’s customer data through their access credentials. It’s all compartmented,” he said.
“What seems to have been the case at Medibank is they got everything because there was somebody in the organisation who had the administrative authority to get everything.”
Financial impact
The financial impact appears to be reflected in the private health insurer’s share price – with Medibank’s market valuation shedding nearly $2 billion since the incident became public. And investors shouldn’t expect a quick recovery either.
Glenn Withers, a professor of economics at ANU, has helped developed a study on the stockmarket impact of cyber incidents on S&P500 sharemarket benchmark, which includes some of the biggest US corporations.
“What we found is that (cyber incidents) have a very serious effect,” he said. And the negativity does not dissipate once a remediation is sorted.
“Most of them are in the range of about a 5 to 15 per cent loss of stock market valuation in the first one to two years after a major cybersecurity event,” he said.
Loading
But he warned that serious cyber breaches can require a lot of corporate upheaval before the victim can recover.
“What we can also say is, where the (cyber) effect is large, quite often the way a company recovers is by takeover and management renewal. You’ve got to reconstruct a company that is the most severely hit to get yourself back on track.”
He thinks this is applicable in Medibank’s case.
“I would have thought that a very substantial renewal is going to be required in this case,” he said. “It won’t be a short-term remedy at all.”
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
For all the latest Business News Click Here
For the latest news and updates, follow us on Google News.