Medibank is going to take a $26 million half-year hit as the result of its 2022 security breach, and this is expected to climb to between $40 million and $45 million over the full year.
The insurer has also gone public for the first time with technical detail of the attack.
In a half-year results announcement [pdf], Medibank said the attacker first obtained the user ID and password used by a third-party IT services contractor.
A misconfigured firewall allowed the attacker to bypass the need to present “an additional digital security certificate” to access its systems, using those credentials.
“The criminal was able to obtain further usernames and passwords to gain access to a number of Medibank’s systems and their access was not contained,” Medibank stated.
The attack triggered a security alert on October 11, and Medibank said there was no further access after October 12.
“In December, we completed operation safeguard, which saw us take our systems offline” to strengthen security, CEO David Koczkar said.
The insurer has also ensured that all of its firewalls are securely configured.
“We now defend more than 18 million perimeter attacks a day”, he said.
“We will continue to strengthen our security environment.”
Both internal and third-party security monitoring have been scaled up, Koczkar said.
Data management will also be re-examined, he said, especially in the light of revisions to the Privacy Act.
Koczkar said after the attack, Medibank lost 13,000 subscribers, but customer acquisition has begun to recover.