Medibank's data breach costs anticipated to reach $126m by mid-2025

By

Excluding regulatory or legal penalties.

Medibank is expecting to have completed "the vast majority" of its cyber security uplift following a 2022 data breach by mid-2025, with the total cost of the incident now expected to be $126 million-plus.

Medibank's data breach costs anticipated to reach $126m by mid-2025

The data breach has now cost the insurer $86.2 million and is likely to climb to around $126 million by the end of June next year.

The health insurer said in financial statements that it incurred “non-recurring cybercrime costs” of $39.8 million in FY24, after a $46.4 million cost the prior year.

While this is a 14.2 percent decrease year-on-year, the insurer is expecting costs between FY24 and FY25 to remain around the same level - and potential litigation costs extending beyond that.

Medibank said [pdf] that the $39.8 million spent in FY24 covered “further IT security uplift and legal and other costs related to regulatory investigations and litigation”.

“[We] expect similar costs for these matters in FY25, including investment associated with uplifting business resilience and customer trust.”

However, Medibank added that its forecast costs for FY25 “excludes the impacts of any potential findings or outcomes from regulatory investigations or litigation.”

“Around 60-to-65 percent of that spend in FY25 will be in the actual IT security uplift component of the program,” chief financial officer and group strategy lead Mark Rogers told investors.

“We expect by the end of FY25 the vast majority of the work we need to do in that program will be complete, so then looking into FY26 the costs will continue, but the majority of those costs then will be associated with the litigation. 

“So FY25 is about completing the [security] uplift. There still will be some uplift costs in FY26, but largely the FY26 costs will reflect the costs of defending the litigations that we’ve got on foot.”

Medibank is facing court action filed by the Office of the Australian Information Commissioner (OAIC) over its protection of personal information.

It is also facing a class action lawsuit - previously two, but they were consolidated.

Medibank said that customer acquisition rates on its own brand had recovered to pre-data breach levels.

For FY24, Medibank reported a group underlying net profit after tax of $570.4 million, up 14.1 percent year-on-year.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

BoM's seven-year technology transformation cost $866m

BoM's seven-year technology transformation cost $866m

Medibank allegedly missed EDR alerts before data breach

Medibank allegedly missed EDR alerts before data breach

ANZ joins NAB and CBA on ConnectID

ANZ joins NAB and CBA on ConnectID

James Cook University accelerates digital roadmap and cyber uplift

James Cook University accelerates digital roadmap and cyber uplift

Log In

  |  Forgot your password?