Shareholders of cyberattack victim Medibank grilled the company board members and executives about the incident that resulted in hackers drip-feeding client data and demanding a $US1 per customer ransom from the company. The question-answer session saw open criticism, despite the assurances of “robust” response to the crisis.
However, none of the directors lost their seat or faced a pay cut, as shareholders cleared all resolutions at the annual general meeting (AGM) held early on 16 November.
Cyber attack and company AGM
Medibank is probably the first listed company in the world that had to face the company shareholders at its annual general meeting right after a massive cybersecurity crisis that affected all of its customers and clients.
Significant investors of the company warned the board that it would be held accountable at the AGM for the disastrous breach. During the question-and-answer session, almost all of the shareholder inquiries focused on the attack—why the breach occurred, why did the company retain years of customer data, and what steps the firm was doing to address the crisis.
Medibank Chairman Mike Wilkins attributed the company’s requirement to retain client data for at least seven years to state and federal legislation, and he asserted that the company would modify the process if the government changes those norms. Mr Wilkins and company CEO David Koczkar defended the business’s choice not to pay the hacking group’s ransom.
No ransom or negotiations with cybercriminals
“Based on extensive advice from cybercrime experts, we formed the view that there was a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” said Mr Wilkins, said addressing the AGM.
In fact, the advice we have had is that to pay a ransom could have had the opposite effect and encouraged the criminal to directly extort our customers, and put more people in harm’s way by making Australia a bigger target.
“Whilst nothing is certain, the criminal may continue to release files on the dark web,” said CEO Koczkar in his speech. “There is no doubt that rejecting the ransom demand was the right thing to do,” he added.
Unsatisfied, say shareholders
The assurances were insufficient to placate the Medibank retail shareholders, who voiced their displeasure to the Australian media after the AGM. One shareholder openly questioned the company board at the Q&A session, drawing applause from the audience.
“The chairman said [the breach] was unprecedented; that’s bullshit. Absolute BS,” Medibank shareholder Johnny Hua told reporters. Another shareholder John Johnston questioned the board’s IT knowledge, accusing the company of being “asleep at the wheel” during the incident.
The investor opposition was evident at the voting for executive pay, which registered close to 6% opposition while all other resolutions had significantly higher support.