MPL cyberattack

It’s been something of a rollercoaster for Medibank with its recent cyber attack.

First they told the market that they’d had an attack, but they’d contained it and no customer data had been accessed.

Then a few days later they restated that was no evidence that customer data had been stolen:

They had restored the systems on new hardware, and operations had resumed. The stock fell about 4% over this period, then recovered.

But yesterday, the company indicated that they had been contacted by someone claiming they had stolen data. Medibank put out another release saying they were investigating, and this afternoon they issued a statement that confirmed some information had been stolen.

The company has also mentioned numerous times that its systems have not been encrypted by ransomware. (That is, the hacker has not been able to scramble all the data in the systems and demand payment for the secret codes required to unscramble them.)

Current position

It now seems very likely that a hacker did gain access to their systems and was able to take some information relating to customer accounts in their ahm and international student brands. It appears the hacker waited a week before releasing this information, so presumably, they were attempting to gain more leverage but now think that their best option is trying to embarrass Medibank into paying some kind of a ransom.

So Medibank’s systems are all working, but someone has data they shouldn’t. This includes names and contact details, birth dates, Medicare numbers, and some codes relating to claims which could be used to discover medical procedures people have had and some diagnoses.

The affected customers are probably mainly with Medibank’s ahm brand. The international student business would be minor, and there’s been no mention of a breach relating to Medibank’s main brand. ahm customers make up about a quarter of the book, and although the company does not provide segmental information, it seems likely that the average revenue per policyholder is lower for ahm than the Medibank brand, given that ahm is aimed at younger people.

The attacker has threatened to release more data unless Medibank pays up.


It’s not illegal for Medibank to pay up, but it’s strongly discouraged by the authorities and the security community for the obvious reason that it just encourages more attacks, and there’s no guarantee the data would not be shared anyway. So it’s unlikely that they’ll make a payment. The demands from the hacker suggest that whatever back door they had into Medibank is now very firmly closed, so further disruption to Medibank’s systems is unlikely.

Unfortunately for the affected customers, they will likely have to monitor their various accounts and possibly change their credit cards.

Medibank will likely be fined for this breach, but (as the minister complained during the Optus breach recently), the fines are currently fairly modest. But it does support the government’s calls for stiffer penalties for companies that allow unauthorised access to data. Unlike the Optus breach, there’s been no suggestion that Medibank was holding on to information that it didn’t need (in contravention of the national privacy principles).

Clearly, it’s not a positive for Medibank, and there will be costs related to remediation and fixing the security breaches, and they will lose some policyholders at the margin. But Australia’s health system is still strongly geared towards encouraging people into the private health insurance market, and switching health insurers is difficult. Combined with the fact that insurance is one of the very few sectors of the economy that benefit from higher interest rates and has defensive earnings that are not strongly affected by inflation or recession fears, we’ll continue to hold the stock.

Important Information: This document has been prepared by Aequitas Investment Partners ABN 92 644 165 266 (“Aequitas”, “our”, “we”), a Corporate Authorised Representative (no. 1284389) of C2 Financial Services, (Australian Financial Services Licensee no. 502171), and is for distribution within Australia to wholesale clients and financial advisers only.

This document is based on information available at the time of publishing, information which we believe is correct and any opinions, conclusions or forecasts are reasonably held or made as at the time of its compilation, but no warranty is made as to its accuracy, reliability or completeness. To the extent permitted by law, neither Aequitas nor any of its affiliates accept liability to any person for loss or damage arising from the use of the information herein.

Please note that past performance is not a reliable indicator of future performance.

General Advice Warning: This document has been prepared without taking into account your objectives, financial situation or needs, and therefore you should consider its appropriateness, having regard to your objectives, financial situation and needs. Before making any decision about whether to acquire a financial product, you should obtain and read the relevant Product Disclosure Statement (PDS) or Investor Directed Portfolio Service Guide (IDPS Guide) and consider talking to a financial adviser.

Taxation warning: Any taxation considerations are general and based on present taxation laws and may be subject to change. Aequitas is not a registered tax (financial) adviser under the Tax Agent Services Act 2009 and investors should seek tax advice from a registered tax agent or a registered tax (financial) adviser if they intend to rely on this information to satisfy the liabilities or obligations or claim entitlements that arise, or could arise, under a taxation law.

Receive our investment insights

Something went wrong. Please check your entries and try again.