Home
Search
thewest.com.au

Medibank sued after 9.7m Aussies have data stolen in Russian cyber attack

Nathan SchmidtNCA NewsWire
Medibank is being sued over the October 2022 cyber attack. NCA NewsWire / Christian Gilles
Camera IconMedibank is being sued over the October 2022 cyber attack. NCA NewsWire / Christian Gilles Credit: News Corp Australia

Health insurance giant Medibank is being sued by the information watchdog after the personal information of 9.7 million Australians was stolen.

The Australian Information Commissioner announced on Wednesday it had filed civil penalty proceedings over the October 2022 data breach.

Sensitive information, including names, date of births, and Medicare numbers, was stolen in the cyber attack; much of it leaked online.

In a statement, the Commissioner alleged Medibank had failed to take reasonable steps to protect the information from misuse from March 2021 until the attack.

Get in front of tomorrow's news for FREE

Journalism for the curious Australian across politics, business, culture and opinion.

READ NOW

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” acting Commissioner Elizabeth Tydd said.

MEDIBANK GENERICS
Camera IconMedibank is being sued over the October 2022 cyber attack. NCA NewsWire / Christian Gilles Credit: News Corp Australia

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.”

The civil proceedings followed an investigation launched by the OAIC into the attack, which affected both current and former members, as well as subsidiary AHM.

Under Australian Privacy Principles, Medibank is required to take reasonable steps to protect the information it holds, including from unauthorised access.

The OAIC may apply to the Federal Court for a penalty order if an entity is alleged to have “engaged in serious or repeated interferences with privacy”.

MEDIBANK ATTACK PRESSER
Camera IconForeign Minister Penny Wong announced sanctions as a result of the attack in January. NCA NewsWire / Martin Ollman Credit: News Corp Australia

If found guilty, Medibank could face a civil penalty of up to $2.2 million for each contravention, though such an order is only made by the court.

According to OAIC, Medibank generated a revenue of $7.1 billion and an annual profit of $560 million in the financial year ending June 2022.

In January, Foreign Minister Penny Wong announced sanctions against Russian man Aleksandr Ermakov over his alleged role in the breach.

The sanctions were the first under cyber security legislation passed in 2021 and came after an investigation by both the AFP and ASD.

Originally published as Medibank sued after 9.7m Aussies have data stolen in Russian cyber attack

Get the latest news from thewest.com.au in your inbox.

Sign up for our emails