In its latest financial statements, Medibank revealed it had absorbed “non-recurring cybercrime costs” totalling $39.8 million in FY24, following a hefty $46.4 million hit the previous year.
Although this marks a slight 14.2 percent decrease, the financial storm is far from over. The insurer braces for similar expenditures in FY25, with potential legal battles looming on the horizon.
The Medibank’s chief financial officer and group strategy lead, Mark Rogers, painted a sobering picture for investors, emphasising that 60-to-65 percent of FY25’s expenditures would be funneled into IT security enhancements.
Rogers optimistically noted that by the close of FY25, the “vast majority” of these critical security upgrades would be complete. However, he cautioned that FY26 would shift focus, with litigation costs taking center stage.
“Around 60-to-65 percent of that spend in FY25 will be in the actual IT security uplift component of the program,” Rogers told investors.
“We expect by the end of FY25 the vast majority of the work we need to do in that program will be complete, so then looking into FY26 the costs will continue, but the majority of those costs then will be associated with the litigation.
“So FY25 is about completing the [security] uplift. There still will be some uplift costs in FY26, but largely the FY26 costs will reflect the costs of defending the litigations that we’ve got on foot.”
Medibank’s legal troubles are mounting. The Office of the Australian Information Commissioner (OAIC) has taken the insurer to court over its mishandling of personal data, and a class action lawsuit—previously split into two but now unified—also hangs over Medibank’s head.
Despite these turbulent times, Medibank is showing resilience. Remarkably, the insurer’s customer acquisition rates have bounced back to pre-breach levels, a testament to its enduring market presence.
For FY24, Medibank reported a robust group underlying net profit after tax of $570.4 million, marking a 14.1 percent increase year-on-year.
As Medibank races against time to fortify its defenses and mitigate the fallout, the shadow of the 2022 breach continues to loom large, promising a costly and protracted battle.
Meanwhile, Australia used its new cyber powers against Russian citizen Aleksandr Ermakov in connection with his alleged involvement in the Medibank data breach.
