Medibank security failures revealed by OAIC

Australia’s largest private health insurer was aware of “serious deficiencies in its cybersecurity and information security framework” a full two years before the October 2022 data breach that saw a record loss of personal customer information to hackers, the Australian Information Commissioner (OAIC) has alleged in a document filed to the Federal Court

The breach impacted the privacy of more than 9.7 million individuals (comprising current and former Medibank customers), whose personal information it held.

As part of ongoing court proceedings initiated by the Information Commissioner in early June, a document uploaded by the OAIC on June 19 outlined the background to its legal case.

It explains the breach originated when “an employee of a Medibank contractor (IT Service Desk Operator) had saved his Medibank username and password for a number of Medibank accounts (Medibank Credentials) to his personal internet browser profile on the work computer he used to provide IT services to Medibank. When the IT Service Desk Operator subsequently signed into his internet browser profile on his personal computer, the Medibank Credentials were synced across to his personal computer.

“During the Relevant Period, the Admin Account had access to most (if not all) of Medibank’s systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases).

“On or around 7 August 2022, the Medibank Credentials were stolen from the IT Service Desk Operator’s personal computer by a threat actor using a variant of malware ...”

Subsequently the hacker was able to log onto Medibank’s Microsoft Exchange server and test the Medibank Credentials for the Admin Account, and then authenticate and log onto Medibank’s “Global Protect” Virtual Private Network (VPN) solution (which controlled remote access to the Medibank corporate network.

This was only possible because access to Medibank’s Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA).

Medibank’s Endpoint Detection and Response (EDR) Security Software generated various alerts but these were not acted on, allowing 520 gigabytes of data to be taken from Medibank’s systems from August until October, 2022.

The OAIC has outlined extensive deficiencies in Medibank’s cybersecurity and information security framework and alleges it failed to take reasonable steps commensurate with protecting the personal and sensitive information it held.

These include:

- failing to implement MFA for authenticating remote access users

- failing to implement appropriate password complexity for user accounts.

- failing to implement password monitoring and review processes to ensure that passwords used to access important data repositories and/or servers were encrypted and not stored in plain text

- failing to implement appropriate application controls for critical servers, including servers used to access sensitive or critical information assets.

The court filing highlights the history of Medibank’s awareness of serious deficiencies in its cybersecurity and information security framework:

“A report of a penetration test of Medibank’s OSHC web environment by Threat Intelligence dated 26 March 2018 identified weaknesses in Medibank’s cybersecurity framework, including insecure or weak password requirements for accessing its systems. Further penetration test reports provided by Threat Intelligence in September 2018 and November 2020 in relation to different environments identified similar deficiencies regarding insecure or weak password requirements.

“An Active Directory Risk Assessment report provided by Datacom on or around 27 June 2020 identified that Medibank had an excessive number of individuals who had access to Active Directory (being the Microsoft directory service used for management of all Medibank users, group policies and domains), a number of individuals had been given excessive privileges to perform simple daily routines, and that MFA had not been enabled for privileged and non-privileged users which was described as a “critical” defect

“An internal Medibank presentation prepared in around February 2022 in relation to work being undertaken to identify gaps in Medibank’s compliance with CPS 234, identified that a set of security controls and a control review process and timeline for conducting the review had been prepared in 2020, but never implemented.

The full document can be viewed HERE