Medibank incurred $7.5 million in direct tech costs after cyber attack

Medibank has revealed a breakdown of its $46.4 million data breach expense amount incurred after a high-profile cyber incident last year.

In the health insurer's 2023 annual report [pdf], released today, it said that the $46.4 million expenses from the breach comprised $22 million of administration expenses, $15.6 million in employee benefits expenses, $7.5 million in extra technology expenses, and $1.2 million in marketing expense.

The coming year is anticipated to bring another $30 million and $35 million in costs.

These cover “further IT security uplift and legal and other costs related to regulatory investigations and litigation” associated with the data breach but exclude penalties that could stem from various regulatory and legal actions underway.

The annual report is independently audited by PwC Australia, which notes in some detail the extra assurance work it had to perform, due to the cyber incident.

PwC noted that to give the okay to Medibank’s annual report, it had to determine whether the cybercrime event impacted the accuracy of the company’s financial reporting.

That included whether or not Medibank’s monitoring of “discrepancies or inconsistencies in financial reporting information”.

PwC noted that it “agreed, on a sample basis, the reliability and validity of underlying financial reporting information obtained from breached systems to an alternative data source”.

In the October 2022 data breach of Medibank, attackers obtained the credentials of a third-party contractor. That resulted in the leak of information on 9.7 million customers.