Medibank has admitted that the personal data of some of its customers — including names, addresses, Medicare numbers and phone numbers — has been stolen in a cyber attack.
In a statement, the company said the criminal group allegedly responsible had claimed that 200 gigabytes of data had been stolen and that it would be reaching out to affected customers to let them know and what to do next.
"The criminal [group] has provided a sample of records for 100 policies, which we believe has come from our ahm and international student systems," it said.
"That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data."
It said the claims data involved where the medical service was and the codes that related to their diagnosis and procedures.
"The criminal claims to have stolen other information including data related to credit card security, which has not yet been verified by our investigations," it said.
Medibank said it understood the development was upsetting and that it expected the number of affected customers to grow as the incident continued.
Earlier this week, Medibank said it had been contacted by a group that claimed it had removed customer data and wanted to negotiate with the company, but investigations were ongoing to work out if the claim was true.
CEO apologises for stolen data
The company's chief executive, David Koczkar, offered an unreserved apology for "this crime, which has been perpetrated against our customers".
"I know that many will be disappointed with Medibank and I acknowledge that disappointment," he said.
"This cybercrime is now the subject of an investigation by the Australian Federal Police.
"We will learn from this incident and will share our learning with others."
Mr Koczkar promised to continue to provide customers and the public with updates as the investigation continued.
The revelations come hours after Cyber Security Minister Clare O'Neil confirmed the matter had been referred to the AFP and that Medibank was working with the Australian Cyber Security Centre and Australian Signals Directorate on the attack.
Opposition Leader Peter Dutton encouraged businesses and individuals to use the resources on offer through ASD and the ACSC to better protect themselves.
"I would encourage people to visit those websites, just to get the patches, the upgrades, the updates and for the government to continue that messaging," he said.
He said the government was missing the mark on making sure people knew where they could go and what they could do to protect themselves.
"Nobody is actually providing this support and this messaging out to the community and it is important that people just take the basics and upgrade your passwords to something that is not predictable. Do it regularly," Mr Dutton said.
"Make sure that the software upgrades are installed as you receive them on your phone on your devices."
Medibank was hit by a cyber attack last week but, at the time, said there was no evidence sensitive data had been accessed.
A trading halt on Medibank shares will continue until further notice.