Regulator blames Medibank cyberattack on lack of multi-factor authentication

In a court filing, the OAIC alleges that the health insurer's lack of MFA enabled hacker to exfiltrate 520 gigabytes of data.

Share

Regulator blames medibank cyberattack on lack of multi factor authentication
Regulator blames medibank cyberattack on lack of multi factor authentication
Get people moves , key regional updates , growth opportunities , emerging risks , data journalism , in-depth analysis , exclusive features , APAC insurance Delivered to your inbox
Get your free daily brief

Modal Title

Regulator blames medibank cyberattack on lack of multi factor authentication

Key APAC insurance developments – delivered free each weekday.

(Re)in Summary

• The Office of the Australian Information Commissioner attributed the 2022 cyberattack on Medibank to the lack of multi-factor authentication (MFA) on its IT systems.
• Court documents allege attack was facilitated by a contractor’s infected personal computer and Medibank’s inadequate VPN configuration.
• Hack exposed 9.7 million customers’ data after information was published on the dark web.

The Australian data protection regulator has attributed the significant 2022 cyberattack on health insurer Medibank to the company’s failure to implement multi-factor authentication (MFA) on its IT systems, according to recently filed court documents.

The breach resulted in the exposure of personal data for 9.7 million current and former customers, including sensitive health information.

In a court document filed Monday (17 June), The Office of the Australian Information Commissioner (OAIC) revealed that the attack was facilitated by a contractor’s IT service desk operator who saved his Medibank login credentials to a personal web browser profile on his work computer.

These credentials were subsequently synced to his personal computer, which was infected with malware, allowing hackers to obtain access to Medibank’s systems.

However, the OAIC’s court filings state, “Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required,” without the added security of MFA.

This lack of security measures allegedly enabled the hacker to log into Medibank’s systems and exfiltrate approximately 520 gigabytes of data.

Medibank had previously attributed the breach to a third-party contractor and a misconfigured firewall. However, the OAIC’s detailed report indicates that the insurer was aware of serious cybersecurity deficiencies prior to the attack.

Independent reports by KPMG in 2021 and Datacom in 2020 had already highlighted the absence of MFA as a “critical” defect.

Despite receiving alerts during the attack, “these alerts were not appropriately triaged or escalated by either Medibank or its service provider, Orro, at that time,” the OAIC said, allowing the hacker to remain in the network for nearly two months.

The stolen data, which included names, addresses, Medicare numbers, and health and financial information, was eventually published on the dark web.

The Australian government has named Russian national Aleksandr Gennadievich Ermakov, alleged to be part of the cybercrime group REvil, in connection with the attack. This marks the first instance of the Australian government imposing cyber sanctions of this nature.

The OAIC has taken Medibank to court over the case with the theoretical potential for fines to exceed AU$21 trillion for failing to protect customer data. The first hearing in the Federal Court is yet to be scheduled, and Medibank has stated its intention to defend the proceedings.

Read next

Share this article