Medibank facing $21.5trillion in fines after hacker stole the private information of almost 10 MILLION Australians

Health insurer Medibank is being sued by the information watchdog after the personal data of 9.7 million Australians was stolen.

Australia’s Information Commissioner announced on Wednesday that it had initiated civil penalty proceedings over the October 2022 data breach.

The cyberattack stole sensitive information, including names, dates of birth and Medicare numbers, and much of it was leaked online.

In a statement, the commissioner alleged that Medicare failed to take reasonable steps to protect the information from misuse from March 2021 until the attack.

“Releasing personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial hardship. crimesaid Acting Commissioner Elizabeth Tydd.

Medibank is being taken to court after the personal data of 9.7 million Australians was stolen in a cyber attack

Foreign Minister Penny Wong announced sanctions following the attack in January. Photo: NCA NewsWire / Martin Ollman

‘We allege that Medibank failed to take reasonable steps to protect the personal information it held, given the size, resources, nature and volume of the sensitive and personal information it processed, and the risk of serious harm to an individual in the event of a breach. ‘

The civil suit followed an investigation launched by the OAIC into the attack, which affected current and former members, as well as subsidiary AHM.

Under the Australian Privacy Principles, Medibank is required to take reasonable steps to protect the information it holds, including from unauthorized access.

The OAIC can apply to the Federal Court for an injunction if it is alleged that an entity has ‘committed serious or repeated breaches of privacy’.

If found guilty, Medibank faces a civil penalty of up to $2.2 million for each violation, although such an order can only be imposed by the court.

The commissioner claims there is a violation for each of the 9.7 million customers, which amounts to a potential maximum fine of more than $21 trillion.

It is up to the Federal Court whether fines are imposed.

Medibank generated revenues of $7.1 billion and annual profits of $560 million in the financial year ending June 2022, according to OAIC.

In January, Foreign Minister Penny Wong announced sanctions against Russian Aleksandr Ermakov over his alleged role in the breach.

The sanctions were the first under cybersecurity legislation passed in 2021 and came after an investigation by both the AFP and the ASD.