Login

Promote Your Company       |     Contact

Independent Cyber News.

‘The Emotional Hit was Real’, reveals former CISO at Medibank during the breach
ANZ | Leadership | Security Awareness | Security Operations
Posted: Monday, Feb 09
  • KBI.Media
  • $
  • ‘The Emotional Hit was Real’, reveals former CISO at Medibank during the breach
Karissa Breen, crowned a LinkedIn ‘Top Voice in Technology’, is more commonly known as KB, and widely known across the cybersecurity industry. A serial Entrepreneur and co-founder of the TMFE Group, a holding company and consortium of several businesses all relating to cybersecurity. These include an industry-leading media platform, a marketing agency, a content production studio, and the executive headhunting firm, MercSec. She is also the former Producer and Host of the streaming show, 2Fa.tv. Our flagship arm, KBI.Media, is an independent and agnostic global cyber security media company led by KB at the helm of the journalism division. As a Cybersecurity Investigative Journalist, KB hosts her renowned podcast, KBKast, interviewing cybersecurity practitioners around the globe on security and the problems business executives face. It has been downloaded in 65 countries with more than 300K downloads globally, influencing billions of dollars in cyber budgets. KB is known for asking the hard questions and getting real answers from her guests, providing a unique, uncoloured position on the always evolving landscape of cybersecurity. She sits down with the top experts to demystify the world of cybersecurity, and provide genuine insight to executives on the downstream impacts cybersecurity advancement and events have on our wider world.

i 3 Table of Contents

‘The Emotional Hit was Real’, reveals former CISO at Medibank during the breach
From Karissa Breen

Cyber incidents rarely begin with chaos. No sirens. No flashing lights. Just a quiet alert that something isn’t right.

That’s how it started for Alex Loizou, former Chief Information Security Officer at Medibank, on an October evening in 2022. A routine detection. An anomaly that, at first glance, looked like background noise.

It wasn’t.

Within hours, Australia’s largest private health insurer was confronting one of the most consequential cyber breaches in the nation’s history. An incident that would expose sensitive data, trigger public outrage, and place heavy pressure on the people tasked with defending the organisation.

“We didn’t quite understand the significance of what we were seeing,” Loizou recalls. “It didn’t start as a fire alarm, just unusual behaviour.”

That uncertainty defines the most dangerous phase of any cyber incident. Most alerts lead nowhere. Some lead straight into crisis.

This one did, right into the belly of the beast.

In the early stages, the response is clinical and methodical. Security teams balance curiosity with caution, testing assumptions and managing the urge to overreact.

But once the confirmation is affirmative, the game changed.

“First and foremost, your customers, they’re actually the victims of a crime.” Loizou says. “But the thing that you often forget [is] that your business and staff are also victims of that same crime.”

That’s when the real toll begins, not just technical, but human too.

Inside the security team, second guessing starts to creep in. The what-ifs. The mental rewind. Could this have been stopped earlier? Was something missed?

“The emotional hit was really there,” Loizou admits. “It’s quite impactful.”

And it didn’t stop with the security function. Across Medibank, the breach landed like a shared violation. “It was like everyone’s house had been broken into,” he says.

One breach rarely comes alone. The ants come marching two by two.

Following the initial compromise, Medibank saw increased phishing attempts, heightened external probing and intensified dark web chatter. Once an organisation is exposed, it becomes a magnet.

Attackers watch closely and see how it plays out. Opportunists then follow. This then exposes a hard truth about preparedness.

Annual tabletop exercises and compliance checklists don’t hold up under live fire. “We’ve met our obligations. It doesn’t cut it,” Loizou says. “No two incidents are alike.”

What matters instead is aptitude, its repetition, realism, and muscle memory built before any crisis hits.

In Medibank’s case, prior hands on simulations proved decisive. Not just theory, but practice.

Medibank also made a call to engage multiple external incident response firms at the same time, each working independently.

The upside? Validation. If conclusions converged, confidence increased. If they didn’t, blind spots surfaced and compounded.

The downside? Complexity.

“It ends up ballooning the effort,” Loizou says. “More cats to the cat herding.”

Managing that chaos required more than technical skill. It demanded coordination, judgment and emotional control. One of the most effective leaders during the response wasn’t a hardened cyber operator, but the head of security delivery.

As investigators worked methodically, the public narrative moved faster and not always accurately, unfortunately.

Security reporting is evidence-based and cautious. Headlines aren’t.

Statements intended as provisional were often treated as definitive. Nuance was lost. Confidence was overstated. And the noise flooded in that included vendors rushing to sell “solutions” mid-crisis. The industry is woefully notorious for ambulance chasing trying to shoe horn their product off the back of an unfortunate incident.

“[It] was utterly unhelpful,” Loizou says.

The lesson? Security and communications teams can’t meet for the first time during a breach. Alignment must happen long before crisis hits and it needs to be continuous.

Loizou now advocates for aggressive transparency, but paced, deliberate and built to withstand misinterpretation and inaccurate details.

One unexpected outcome of the Medibank breach was the response from competitors.

Instead of silence or schadenfreude, Loizou received calls of support.

“This is a problem that impacts the whole industry, but it’s also a problem that real humans are being impacted by,” he says.

The collaboration extended beyond companies to government, where attention normally hones in and momentum follows.

Breaches are damaging. But they also force maturity and unity.

Loizou maintains that the strong sense of collaboration in the security industry is one thing he is positive about. Instead of seeing competitive edge when an incident occurs, there is communication between competitors in an effort to work together and share knowledge to prevent those outcomes in the future. In addition, as major incidents came in quick succession, the government has also shifted focus and moved the needle in supporting organisations.

“My genuine hope is that each and every one of those [incidents] make us stronger,” Loizou says. “That effectively makes Australia less of a target over time.”

Cyber incidents will keep coming. No organisation is immune, as we all know. No playbook is complete. Each incident is different and there’s no full-blown blueprint that is prescriptive for each incident.

One noble take from the Medibank fiasco is how leaders carry the weight.

More From This Contributor

No results found.
All Press Releases

Other Recent Articles

No results found.
Article Archives
Share This