Medibank Hack Could Cost A$700M for Damages and Fixes

The data breach at Medibank Private Ltd. could cost the Australian health insurer A$700 million ($450 million) if customers decide to sue for damages after personal medical details were posted to a forum on the dark web, according to Bloomberg Intelligence.

“The award of customer damages is the key variable in the ultimate cost of Medibank’s data breach,” BI analyst Matt Ingram wrote in a note Thursday. The compensation bill could run as high as A$960 million if 10% of affected customers join a mooted class-action lawsuit and are paid the maximum A$20,000 in damages, but BI’s base case is A$480 million, he said.

The insurer then also faces potential fines, while the cost of fixing the issue could be more than double the A$35 million [US$23 million] charge Medibank has already flagged, according to Ingram. While these damages could pose a significant blow to 2023 earnings, they shouldn’t prompt a capital raise, he said.

Hackers began leaking data stolen from Medibank including the names, addresses and birthdates of hundreds of customers to a forum on the so-called dark web on Wednesday. More details were posted Thursday and the company expects further leaks. The hackers demanded a $10 million ransom for the data, the Australian Financial Review reported.

The hack at Medibank follows a vast data leak at Singapore Telecommunications Ltd.’s Optus unit in September, which exposed the details of as many as 10 million customers. In Singtel’s earnings Thursday, it said it had provisioned a further S$142 million ($101 million) for customer remediation efforts.

Photograph: A Medibank Private Ltd. branch in Sydney, Australia, on Monday, Nov. 7, 2022. The attack on Medibank exposed the data of around 9.7 million current and former customers and some of their authorized representatives, the Melbourne-based company said in a statement. Photo credit: Brendon Thorne/Bloomberg