Medibank has predicted a full-year 2024 cost of between $30 million and $35 million arising from the ongoing response to its 2022 data breach, as reports emerged that the alleged attacker had been arrested in Russia.
The latest forecast is in line with the cost Medibank predicted in August 2023, when it announced that the 2023 full-year cost was $46.4 million.
The health insurer revealed the figure in its first-half 2024 financial results [pdf].
The confirmation of figures came as it emerged that Aleksandr Ermakov, sanctioned in January as the alleged attacker, has reportedly been arrested in Russia.
Russian cyber security company FASST reported the arrest, saying that an individual going by “gustavdore” – a handle reportedly used by Ermakov – had been arrested over his alleged involvement with the SugarLocker ransomware group.
The Australian Federal Police would not comment on the reported arrest, beyond telling iTnews it is aware of the reports.
Medibank said that for the half-year ended December 31, 2023, it booked $17.6 million in non-recurring costs attributable to the 2022 cyber security incident, including $12 million of office/admin expenses, $1.1 million in employee benefits, and technology expenses of $4.4 million (down from $6 million in the first half of 2023).
In the half year, the insurer said it spent $2.5 million on a security uplift.
The predicted full-year costs, Medibank said, will cover “further IT security uplift and legal and other costs related to regulatory investigations and litigation”.
The insurer also announced a small increase in its total technology spend overall, to $45.6 million for the half year (up from $43.1 million for the first half of 2023).
It expects these investments to pay off in savings elsewhere: “We are targeting a total $10 million of savings for the full year from increasing the use of digital channels and from business and process improvements”.
Medibank reported nearly 12 percent revenue growth to nearly $4 billion for the half year, and group operating profit up 4.3 percent to $319 million.
The 2022 attack remains one of Australia’s most serious data breaches, with more than 9.7 million customers’ details leaked via compromised credentials of a contractor.