Australian insurer: All customer data hacked
CANBERRA, Australia — Australia’s largest health insurer said on Wednesday a cybercriminal had hacked the personal data of all its 4 million customers, as the government introduced legislation that would increase penalties for companies that fail to protect clients’ private information.
Medibank said “significant amounts of health claims data” had also been accessed in the breach, which was reported to police a week ago.
The thief has demanded ransom and reportedly threatened to expose diagnoses and treatments of high-profile customers.
Medibank said its priority was to discover the specific data stolen in relation to each customer and to share that information with those customers.
The company had previously said the breach was thought to be limited to its subsidiary AHM and foreign students.
“Our investigation has now established that this criminal has accessed all our private health insurance customers’ personal data and significant amounts of their health claims data,” Medibank CEO David Koczkar said in a statement to the Australian Securities Exchange, adding an apology to customers.
The government has been planning urgent legislative reforms on cybersecurity regulation since a hacker stole the personal data of almost 10 million current and former customers of Optus, Australia’s second-largest wireless telecommunications carrier.
Optus became aware on Sept. 21 that personal data of more than one-third of Australia’s population of 26 million had been stolen.
In introducing amendments to the Privacy Act to Parliament on Wednesday, Attorney-General Mark Dreyfus mentioned both companies and MyDeal, an online retail intermediary that lost the data of 2.2 million customers in a hack revealed two weeks ago.
The penalties for serious breaches of the Privacy Act would increase from $1.4 million to $32 million under the proposed amendments.