Menu Close

Medibank and Energy Australia join Optus as victims of cyber attacks

All this talk about cyber attacks and people’s private information being stolen is unnerving to say the least. The first things you MUST do is activate Two Factor Authentication on all your accounts AND change/improve the quality of your passwords, ensuring they are not the same across multiple accounts.

Below are emails sent to Medibank and Energy Australia customers, with helpful links to help you navigate this quagmire.

I am writing to provide you with a further update on our cybercrime event and our Cyber Response Support Package.

Earlier this week, I emailed you to let you know the criminal has taken data belonging to some Medibank customers, in addition to that of ahm and international student customers.

Our continuing investigations have now determined that the criminal has had access to the personal data of all ahm, international student and Medibank customers, as well as health claims data for a significant number of our customers.

Specifically, the accessed data includes: name address date of birth phone numbers Medicare number policy number and in some cases, claims data. We appreciate how important it is for you to understand what ‘access’ means. In this case, it means the data was either viewed, or the folder where the data is stored was viewed, by the criminal.

Our forensic investigation is still underway and will determine which of this data has been stolen.

What we are doing
Our investigation continues with a focus on determining the specific impact for each of our customers. We have started contacting customers whose data we know has been stolen.

If we find your data has been stolen, we will notify you by email as soon as possible. We will also provide you with specific advice and support on how our Cyber Response Support Package can help you.

We are also working urgently to provide our contact centre and retail teams with information specific to your circumstances, so they can better support you and answer your questions.

Support for customers
Earlier this week, we shared details of our Cyber Response Support Package for all current customers and former customers who have had their data stolen: Mental health and wellbeing support available through Medibank’s 24/7 support line 1800 644 325 Hardship support for customers who are in a uniquely vulnerable position as a result of this crime. Our contact centre team will be able to provide direct access to the support we have available Specialist identity protection advice and resources through IDCare’s dedicated Medibank page Free identity monitoring services for customers who have had their primary ID fully compromised in this crime Reimbursement of replacement fees for customers whose identity documents have been fully compromised in this crime

Steps you can take to protect yourself
Given your name, address and date of birth may have been compromised, we recommend extra vigilance with your online security: Being alert for any phishing scams that may come to you by phone, post or email; Being vigilant to verify any communications you receive to ensure they are legitimate; and Not opening texts from unknown or suspicious numbers. There are a number of resources online that explain what scams look like, including the Australian Cyber Security Centre and ScamWatch.

If you have received a suspicious email, please forward these emails to us at Our team will collate this information and share with law enforcement.

Please be assured people can’t access your Medicare details with just your Medicare card number. If you’re concerned you can replace your Medicare card using your Medicare online account through myGov or the Express Plus Medicare mobile app. Find out more at

As always, Medibank will never contact you asking for your password or sensitive information.

We are regularly updating our website with the most up-to-date information, answers to frequently asked questions, as well as a reminder of the further resources available. Our contact centre team is also available on 13 23 31 to answer other questions that you may have.

I acknowledge how distressing this will be for you, and apologise unreservedly.

David Koczkar
Chief Executive Officer, Medibank
Recent cyberattacks affecting Australian businesses – including an incident that resulted in unauthorised access to our My Account portal affecting 323 of our customers – have highlighted the importance of continuing to improve the measures that help keep customer data safe and secure. The security of your billing and other information in your EnergyAustralia My Account is important and we want to update you on what we’re doing to ensure your information is protected.

If you were affected, we’ve already contacted you by SMS, email or phone. If we haven’t contacted you, you weren’t affected. There is also no evidence that the information of the 323 customers was transferred outside of EnergyAustralia’s systems during the incident. No other EnergyAustralia system was affected.
You’ll need to change your My Account password
To keep our customers’ My Account information secure, we’ve changed the requirements for all My Account passwords. These new requirements will increase the complexity of your password, which will help to keep your information safe and secure. This means that after 10.00am on Tuesday 18 October 2022, you’ll be prompted to change your password in line with these stronger security measures.
If you’ve changed your password before 10.00am on Tuesday 18 October 2022, you’ll still need to change it again to meet these new requirements when you next log in. If you have changed your password after that date, you don’t need to do anything.
What do you need to do?
Go to My Account online Create a password that’s a minimum of 12 characters long, with a mix of upper- and lower-case letters, special characters and numbers Don’t use a password that you’ve used before or that you use for other accounts Don’t share your password with anyone
Keeping your information safe
Our technology and the controls we have in place are designed to keep your personal information safe. With the increase in cyberattacks across the community, we all need to be vigilant and remain alert and up to date.
We’ve put together some tips on how to stay safe online. Change your passwords regularly, for all your online accounts. Use strong passwords and don’t use the same password across multiple websites or apps. Be wary of unexpected communications or messages. A message, email or phone call may appear to be from a company you use and trust – don’t click on links, open attachments or provide information if you have any doubts at all. It’s a good idea to double-check, by contacting them directly via their website. Ensure you’re protecting your devices by keeping them updated with the latest software. Make sure you have automatic updates turned on. Be careful about what personal information you share online – birthdays and pets’ names can give clues about your passwords and photos might identify your location or those of your loved ones. This information can be used by scammers to try to convince you to click on or open a link.
Accessing your EnergyAustralia app
Once you’ve created your new password, you can access our EnergyAustralia app using the same My Account login details.
Thanks for helping us keep your information safe.
Want to know more?
You can read more at our FAQs at or give us a call on 1800 171 397.
Kind regards
Mark Brownfield
Chief Customer Officer

Leave a Reply

Your email address will not be published. Required fields are marked *