Medibank faced anger from its shareholders at the company’s annual general meeting on Wednesday over the Australian health insurance giant’s massive cyber-attack.
The company chair, Mike Wilkins, told the meeting in Melbourne the cyber-attack was “unprecedented”. He said it was a “shocking crime”, the size and scale of which had not been seen before.
Medibank has been contacting 9.7m current and former customers, including international student and ahm customers, about the extent of the breach in the weeks since it was first discovered that hackers had infiltrated the company’s systems.
For the vast majority of customers, basic personal information – including name, date of birth, address, email, phone number and gender – was exposed. But for 480,000 of these customers, health claims made with Medibank were also stolen.
Medibank’s CEO, David Koczkar, told shareholders that Medibank was now in the process of directly contacting those 480,000 customers to inform them their claims data was exposed.
He said the company had contacted those whose health claims had been posted on the dark web within 48 hours of the hackers posting it.
Almost all of the questions put to the Medibank board from shareholders during the question and answer session were about the attack: why it happened and what the company was doing to rectify it.
Many of the shareholders were also Medibank customers whose data had been exposed – and some complained over the lack of consistent communication from the company.
Wilkins defended the company’s security processes, saying he believed what was in place prior to the cyberattack was “robust”. But he acknowledged that whether that proved to be true was subject to the external Deloitte investigation currently being conducted.
Guardian Australia has reported the attack occurred due to the compromise of high-level credentials giving access to Medibank’s systems. A consistent question in the past few weeks has been what additional layers of protection were in place.
Wilkins said multi-factor authentication was used by the company as a standard, pointing to how difficult he found it to log back into his own account when he has forgotten his password.
Wilkins blamed state and federal laws for requiring the company to keep customer data for at least seven years, and said Medibank would adjust its policies should those laws change.
Both Wilkins and Koczkar both defended the company’s decision not to pay the ransom to the hacker group, saying advice suggested there was little chance it would prevent further extortion of customers, or guarantee the data would not end up online.
Koczkar said the cyber attack had been “deliberate, designed to extort money by targeting our customers – particularly some of the most vulnerable people in the community”.
Shareholders called for the board to consider adding more IT expertise to the board, and questioned why board and executive pay had not been affected by the breach.
Wilkins said the Deloitte report would feed into any questions over who was accountable for the attack and would be reflected in next year’s review. Wilkins did not put a timeframe on when the report would be finalised, but said it would take several months.
Koczkar said it was an incredibly challenging time for the company but one he was confident Medibank would recover from.
The Russian hacker group behind the attack last posted health claims data of a few hundred customers on the dark web on Monday, and said they would hold off publishing more until Friday. The group said it was hoping for a positive outcome from Wednesday, suggesting the group would be paying close attention to the AGM.
The CEO and chair refused to say whether Medibank was still in communication with the hackers, saying it was a matter for the Australian federal police investigation.