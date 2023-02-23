Medibank has taken a $26.7 million hit in the first half of FY23, with this expected to climb to $45 million over the entire year.

The company initially flagged the full-year fallout would be between $30-35 million, but have now revised this to between $40 – $45 million.

This figure is likely to be much higher in actuality, as it covers additional non-recurring investment in IT security, but does “not include further potential customer and other remediation, regulatory or litigation related costs”, which are likely to be substantial.

Surprisingly, Medibank lost just 13,000 subscribers in the wake of the attack, with chief executive David Koczkar saying it has recently seen net customer growth.

“Last month net resident policyholder loss slowed to 1100, while this month up to 18 February we have seen net growth of 200,” Koczkar said.

Underlying net profit was up 6.7 per cent, to $226.7 million. Medibank lifted its dividend from 6.1c to 6.3c.

The company also revealed what went wrong for the first time, saying the hacker used a user ID and password given to a third-party IT services contractor. The hack was able to skip 2FA due to a “misconfigured firewall” that gave him access without “an additional digital security certificate”.

“The criminal was able to obtain further usernames and passwords to gain access to a number of Medibank’s systems and their access was not contained,” Medibank explained.

“We now defend more than 18 million perimeter attacks a day”, Koczkar said, saying there have been no breaches since October 11.

“We will continue to strengthen our security environment.”