cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Transparency promises do not include Deloitte report, Medibank chair says

Medibank’s chairman told a court an external report into a major data hack cannot be included in the company’s earlier commitments to be transparent and share what it learnt with the public.

user iconNaomi Neilson
Mon, 27 May 2024
Transparency promises do not include Deloitte report, Medibank chair says
expand image

In the days and weeks after Medibank was hacked and the personal information of almost 10 million Australians was leaked, the board scrambled to retain law firm King & Wood Mallesons to commission an external report from Deloitte into its cyber security systems.

Lawyers behind a class action have told the Federal Court this report is being kept hidden from them, despite a number of promises made by Medibank in late 2022 and 2023 to be transparent with the public and to share everything it learnt with other Australian businesses.

Appearing in court on Thursday (23 May), chair Michael Wilkins was questioned by counsel Wendy Harris KC on how the insurance giant could have committed to sharing the key outcomes from the Deloitte report back in 2022–23, only to insist on its confidentiality now.


“We were committing to sharing the key outcomes where appropriate and that, to my mind, did not mean sharing the reports,” Wilkins said.

Harris pressed Wilkins on public statements he and the rest of the board made, including CEO David Koczkar, in media releases and on the Australian Securities Exchange (ASX) following the hack.

Harris told the court this included promises to keep the public informed and a commitment to strengthening Medibank’s systems but did not mention its dominant use as a legal document.

“If that were the case, you didn’t need to refer to the external review in your ASX [and public] releases at all, did you?” Harris asked.

“We felt it was important to get the message out that we were taking this event seriously and that reference would help with getting that message into the wider marketplace,” Wilkins said.

Harris then put to Wilkins that despite his commitments to transparency, Wilkins was now giving evidence because he and Medibank “would very much like to keep the Deloitte report a secret”.

“You realise that the people on behalf of whom the applicants bring this proceeding are customers of Medibank whose data was stolen?” Harris questioned, and Wilkins agreed.

During Tuesday’s hearing, Koczkar said the public statements never mentioned the report’s dominant purpose was for legal advice because, “I was always told … that if you talk about a legal review, you waive [legal professional] privilege.”

Counsel for Medibank, Dr Sue McNicol KC, said the Deloitte report was created “by virtue of engagement … by the solicitors” and there was no “warrant to require Medibank to expose and lay bare the sorts of reports … that were commissioned by lawyers”.

“This case is all about telling your secret in order to keep your secret, and we have as much as possible without going too far,” she added.

The hearing has been adjourned until early June.

This story was originally published by Cyber Daily’s sister publication, Lawyers Weekly.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.