Australia’s privacy watchdog accuses Medibank of not using MFA, leading to breach

Australia’s largest health insurer, Medibank, allegedly neglected basic cybersecurity measures and signs of a breach when they occurred in 2022, leading to almost 10 million individuals being exposed.

Medibank did not require multi-factor authentication to log onto its VPN and failed to take other “reasonable steps to protect that personal information from misuse, and/or from unauthorized access or disclosure,” according to a court document filed by the Australian Information Commissioner.

The commissioners’ office (OAIC) has filed civil penalty proceedings in the Australian Federal Court, which can result in a penalty of up to $2,220,000 (US$1,466,010) for each contravention of section 13G of the country’s Privacy Act.

The 2022 Medibank attack forced the company to take some of its systems offline. Australia’s largest health insurer refused to pay a ransom to cybercriminals, who breached the company’s networks and stole the private details of 5.1 million Medibank customers, 2.8 million Ahm health insurance (part of Medibank) customers, and 1.8 million international customers.

Later, Aleksandr Ermakov, a Russian hacker, was blamed by Australian authorities for the attack that affected 9.7 million Australians.

However, OAIC now lists many failings of Medibank.

Prior to August 7th, 2022, an employee of a Medibank contractor (IT Service Desk Operator) had saved his credentials of Medibank accounts to his personal internet browser profile on the work computer. When the employee signed into his internet browser profile on his personal computer, the Medibank Credentials were synced across to his personal computer.

The operator had an elevated access account and could access most, if not all, systems, including network drives, management consoles, remote desktop access, and jump box servers.

“On or around August 7th, 2022, the Medibank Credentials were stolen from the IT Service Desk Operator’s personal computer by a threat actor using a variant of malware known as ,” the court document reads.

The threat actor was able to authenticate and log onto Medibank’s Global Protect VPN using only the Medibank Credentials, as access to the VPN did not require two or more proofs of identity or multi-factor authentication (MFA).

“Rather, Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password, was required.”

Medibank’s Endpoint Detection and Response (EDR) Security Software generated various alerts in relation to the threat actor’s activity on August 24th-25th, 2022.

“These alerts were not appropriately triaged or escalated by either Medibank or its service provider,” OAIC alleges.

The cybercriminal exfiltrated approximately 520 gigabytes of data unnoticed, including names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health-related information, and claims data (such as patient names, provider names, primary/secondary diagnosis and procedure codes, treatment dates).

Until at least October 16th, Medibank allegedly was not aware that customer data had been accessed by a threat actor and exfiltrated from its systems. Later, a Threat Intelligence analyst notified the insurer.

Three days later, the threat actor contacted Medibank. After unsuccessful ransom demand attempts, cybercriminals started publishing the data on the dark web on November 9th, 2022.

OAIC also claims that Medibank was aware of its cybersecurity deficiencies. In 2018 and 2020, penetration testers and auditors identified weaknesses, such as weak password requirements, lack of proper processes for assessing information security, lack of MFA implementation, or excessive numbers of individuals with access to administrative privileges.

ABC News reports that the commissioner is alleging a contravention for each of the 9.7 million customers, which works out to a potential maximum fine of more than $21 trillion. However, the Privacy Act set the maximum fine a company could receive at $50 million or 30% of its turnover, whichever was greater.