Court documents have revealed a damning insight into the cyber security failures of one of Australia’s biggest health funds.
The documents, filed by The Office of the Australian Information Commissioner (OAIC) in the Australian Federal Court, relate to the October, 2022, breach of Medibank that resulted in the personal data of 9.7 million of its customers being stolen and released on the dark web.
The docs showed that an employee of a Medibank third-party IT contractor saved their Medibank username and password to their personal internet browser profile on the work computer they used for Medibank. When the worker signed into their internet browser profile on their personal computer, the Medibank credentials were synced across.
In August 2022, the worker’s Medibank credentials were stolen from their personal computer by a threat actor, who was then was able to log onto Medibank’s Microsoft Exchange server and use the credentials for the Admin Account, which accessed most (if not all) of Medibank’s systems. Once done, the threat actor could log onto Medibank’s “Global Protect” VPN, which controlled remote access to the Medibank corporate network.
The threat actor was able to do this because access to the VPN didn’t require two or more proofs of identity or multi-factor authentication (MFA). The VPN was configured so that only a device certificate, or a username and password (such as the Medibank credentials), was required.
Once inside, the threat actor stole around 520 gigabytes of data, including names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health related information and claims data. This info was subsequently made available on the dark web.
It wasn’t as if Medibank didn’t know about its cyber security shortcomings. It had received numerous warning from auditors and the like going back more than four years prior to the October 2022 breach.
These included:
- A pen test of Medibank’s OSHC web environment in March 2018 identified weaknesses in Medibank’s cybersecurity framework, including insecure or weak password requirements for accessing its systems.
- A June 2020 report identified that, among other things, Medibank had more people than necessary allowed access to Active Directory, the Microsoft directory service used for management of all Medibank users, group policies and domains, and that MFA had not been enabled for privileged and non-privileged users (described as a “critical” defect).
- Privileged users didn’t need MFA to access particular systems, backend portals, or supporting servers.
- An internal Medibank presentation prepared in early 2022 showed that security controls and a control review process and timeline prepared in 2020 were never implemented.
- An internal audit report in July 2022 identified that vulnerability scanning was only done on a sample of workstations and security event monitoring should include unsuccessful MFA attempts.
The OAIC is hoping to throw the book at Medibank and claim that each of the 9.7 million customers constitutes one individual contravention, which brings with it a maximum fine of $2.22 million. If the court agrees, the penalty handed down would total a staggering $21 trillion dollars.
