Medibank has confirmed it has no cyber insurance following a breach that has seen cyber criminals access all of its 3.9 million customers' personal data.
The lack of cyber insurance means that the incident could cost between $25 to $35 million, excluding costs accrued in remediation or legal fees.
Speaking to shareholders and customers, Medibank said that the cyber thieves now have access to all its own customers' personal data and significant amounts of health-claims data, along with that of its ahm and international students’ units.
Yesterday, Medibank said the breach was bigger than first believed but confirmed on 26 October that all personal data had been accessed.
The company is now attempting to establish the specific data that has been taken for each customer whom it will contact directly.
The insurer confirmed that none of its IT systems have not been encrypted by ransomware and it has now “prioritised preventing further unauthorised entry to our IT network”.
It said it has also bolstered existing monitoring, adding further detection and forensics capability across Medibank’s systems and network and scaling up analytical support via specialist third parties.
The Australian Federal Police (AFP), Australian Cyber Security Centre (ACSC) and third-party IT experts are now working with Medibank to unravel the breach.
“Our investigation has now established that this criminal has accessed all our private health insurance customers' personal data and significant amounts of their health claims data,” Medibank CEO David Koczkar said.
“The investigation into this cyber crime event is continuing, with a particular focus on what data was removed by the criminal.
“As we’ve continued to say we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially.
“I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”
Medibank first reported that "unusual activity" had been detected on its network on October 12.
Last week, the insurer said that the data breach was confined to its insurance company sub-brand ahm, as well as international students studying in Australia who use Medibank under its Overseas Student Health Cover (OSHC) service. At the time, it said an estimated 200GB had been taken.