Australia regulator files lawsuit against Medibank over data breach

SYDNEY, Australia – Australia’s privacy regulator said on Wednesday, June 5, it had filed a lawsuit against the country’s biggest health insurer Medibank over a data breach that exposed personal information of millions of customers on the dark web.

In civil penalty proceedings filed in the Federal Court, the Australian Information Commissioner said Medibank “seriously interfered” with the privacy of Australians by failing to take reasonable steps to protect data from misuse.

Medibank in 2022 disclosed a hacker stole the personal data of 9.7 million current and former customers and released it on the dark web in one of Australia’s biggest data thefts.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” Acting Commissioner Elizabeth Tydd said.

The Federal Court can impose a civil penalty of up to A$2.22 million ($1.48 million) for each violation of the Privacy Act.

Australia’s banking regulator told Medibank last year to set aside A$250 million in extra capital, citing weaknesses identified in its information security after the breach.

Medibank, in a statement released to Australia’s stock exchange, said it intends to defend the lawsuit.

Tydd said in a statement the case should serve as a wakeup call to Australian companies to invest more in their digital defenses to thwart cyber threats.

Australia has seen a spike in cyber intrusions over the last two years, prompting the government to reform security rules and set up an agency to oversee government investment and help coordinate responses to hacker attacks. – Rappler.com