On 23 February 2023, as part of its HY23 financial results presentation, Medibank outlined the circumstances surrounding how the criminal accessed its systems, what it had done in response and its key focus areas going forward, including shutting down the attack path and strengthening its security environment.
Deloitte has been conducting an external incident review into the circumstances surrounding the cybercrime event. Medibank confirms that it has now been provided with Deloitte’s findings from that review.
Deloitte has made recommendations to enhance Medibank’s IT processes and systems. A number of recommendations have already been implemented, and Medibank intends to implement all recommendations not already undertaken, along with other enhancements previously planned by Medibank.
Medibank will also continue to review its cyber security governance arrangements, recognising the increasing prevalence of cybercrime and the need to meet the ongoing expectations of our customers.
This cybercrime remains the subject of a criminal investigation. Medibank continues to work with the Australian Federal Police, the Australian Government and regulators. As previously committed, Medibank will continue to share lessons from the cybercrime with other Australian businesses, where it can.
Medibank Chair Mike Wilkins said:
“This cybercrime was a deliberate and malicious attack. Our focus has been to ensure that we closed down the attack path and enhance our systems and processes to provide our customers with the security they expect and deserve.
“Medibank has completed a range of enhancements to meet this expectation and the Board will continue to oversee the completion of steps to implement the recommendations to enhance systems and processes even further.
“From the beginning of this cybercrime, Medibank has continued to prioritise and support the needs and health of our customers and to ensure the earliest possible resumption of normal business operations.”
This announcement has been authorised for release by the Board.