cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Medibank to implement ‘all recommendations’ from Deloitte external review into data breach

Medibank to implement “all recommendations” from Deloitte external review into data breach

user iconLauren Croft
Fri, 28 Apr 2023
Medibank to implement ‘all recommendations’ from Deloitte external review into data breach
expand image

On 13 October 2022, Medibank Private Limited confirmed in an ASX release that it had detected “unusual activity” on its network, before disclosing that customer data had been accessed and stolen, affecting as many as 9.7 million current and former Medibank and international student customers.

This prompted four class actions, as well as an external incident review by “big four” firm Deloitte — the results of which have now been released.

Numerous legal claims, complaints, and class actions have been launched against the health insurance provider since the breach — the most recent of which being on behalf of shareholders who acquired interests in the health insurance provider between 1 July 2019 and 19 October 2022.


In February this year, as part of its half-year 20233 financial results presentation, Medibank outlined the circumstances surrounding how its systems were accessed, what it had done in response, and its key focus areas going forward, including shutting down the attack path and strengthening its security environment.

After conducting an external investigation and incident review, Deloitte has provided Medibank with its findings from that review and recommendations moving forward, which Medibank confirmed in an announcement to the ASX this morning (28 April).

Deloitte made a number of recommendations to enhance the health insurer’s IT processes and systems, some of which have already been implemented. According to the statement, Medibank intends to “implement all recommendations not already undertaken, along with other enhancements previously planned”.

“Medibank will also continue to review its cyber security governance arrangements, recognising the increasing prevalence of cyber crime and the need to meet the ongoing expectations of our customers,” the ASX announcement stated.

Medibank chair Mike Wilkins said that since the data breach, the company has been striving to return to business as normal.

“This cyber crime was a deliberate and malicious attack. Our focus has been to ensure that we closed down the attack path and enhance our systems and processes to provide our customers with the security they expect and deserve.

“Medibank has completed a range of enhancements to meet this expectation, and the board will continue to oversee the completion of steps to implement the recommendations to enhance systems and processes even further,” he said.

“From the beginning of this cyber crime, Medibank has continued to prioritise and support the needs and health of our customers and to ensure the earliest possible resumption of normal business operations.”

Medibank also noted that the breach remains the subject of a criminal investigation and that the insurer would continue to work with government law enforcement and regulators moving forward, as well as “continue to share lessons from the cyber crime with other Australian businesses, where it can”.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.