Get all your news in one place.
100’s of premium titles.
One app.
Start reading
AAP
AAP
Business
Jacob Shteyman

Regulator sanctions Medibank following data hack review

At least 9.7 million Medibank customers had personal information compromised. (Diego Fedele/AAP PHOTOS) (AAP)

Medibank says it will have no problems complying with orders to carry an additional $250 million in capital after a catastrophic data breach.

The Australian Prudential Regulation Authority on Tuesday announced the new capital adequacy requirement will kick in from July 1 and remain in place until Medibank satisfactorily completes remediation work.

It will also conduct a technology review focusing on the company's governance and risk culture.

"This action demonstrates how seriously APRA takes entities' obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cybersecurity controls," board member Suzanne Smith said in a statement.

At least 9.7 million Medibank customers had personal information including names, dates of birth, addresses and phone numbers compromised during the October 2022 data breach.

The measures are intended to expedite Medibank's remediation program, with further work needed to ensure the company remains safe from further data breaches.

"APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate," Ms Smith said.

"I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities."

Medibank chief executive David Koczkar said the company takes safeguarding customer data very seriously and has sufficient capital of $148m to meet the new requirement.

"Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve," he said in an ASX announcement.

"We will continue to work to enhance our systems and processes even further.

"Our company remains strong and well-capitalised."

The regulator has repeatedly emphasised the need for financial providers to step up their vigilance and cybersecurity defences.

"Unfortunately, not all entities are heeding these messages as we continue to identify poor cybersecurity practices and inadequate oversight from boards and management," Ms Smith said.

The regulator flagged further action to ensure entities address gaps and weakness in controls.

Medibank shares fell 4.5 per cent to $3.42 by 11am on Tuesday.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.