‘Wakeup call’: Australia’s privacy umpire sues Medibank over 2022 cyber attack
The Australian Information Commissioner is alleging Medibank Private “seriously interfered” with the privacy of 9.7 million people by not protecting personal information that got released to the dark web.
The launch of civil action against Australia’s largest health insurance company comes less than two years after the company was hit by a major cyber attack in October 2022.
“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” acting Australian Information Commissioner Elizabeth Tydd said on Wednesday.
Sign up to The Nightly's newsletters.
Get the first look at the digital newspaper, curated daily stories and breaking headlines delivered to your inbox.
By continuing you agree to our Terms and Privacy Policy.“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”
Moving to file proceedings in the Federal Court against Medibank Private also follows an investigation launched by the OAIC in December 2022 amid the aftermath of the attack.
Privacy Commissioner Carly Kind fired a warning that the case should serve as a “wakeup call” to Australian businesses to “invest in their digital defences to meet the challenges of an evolving cyber landscape”.
“Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe,” she said.
The hack gave rise to questions about the obligations big organisations have in storing sensitive data. Cyber attacks have quickly risen up the ranks as one of the biggest threats to businesses.
The OAIC sits as an independent agency within the portfolio of the Attorney General and is there to investigate and review matters relating to privacy, freedom of information and government information policy.
The office is alleging Medibank failed to take reasonable steps to protect the personal data it held on current and former customers despite its size, resources, the volume of sensitive information it handled and the risk of “serious harm” if there was a breach.
Personal information including names, dates of birth, addresses, phone numbers and Medicare numbers were leaked and subsequently released to the dark web during the attack.
Earlier this year Australia imposed cyber sanctions against a Russian man for his role in the hack in 2022.
