A lack of an “absolute bare minimum” cyber security requirement contributed to the devastating Medibank data breach, according to new court documents that also reveal the health insurer was aware of this “critical defect” for more than two years before the incident.

The Office of the Australian Information Commissioner (OAIC) has launched civil proceedings in the Federal Court against Medibank over the October 2022 data breach which saw the personal and highly sensitive information of 9.7 million current and former customers stolen and eventually posted on the dark web.

A document filed to court by the OAIC provides a brief overview of the case against Medibank, with the privacy watchdog alleging the company “seriously, further or alternatively repeatedly, interfered with the privacy of approximately 9.7 million individuals whose personal information it held” by failing to take reasonable steps to protect it, in breach of Australian law.

According to the OAIC, Medibank was “aware of serious deficiencies in its cyber security and information security framework” for at least 18 months before the breach.

First and foremost in these issues was the lack of multi-factor authentication, commonly regarded as one of the simplest and most basic measures to protect systems against cyber attacks and data breaches.

UNSW School of Computer Science and Engineering Professor in cybercrime Richard Buckland said the revelations in the report are “shocking” and that multi-factor authentication is a basic cyber mitigation measure.

“If all these assertions are true, it’s very sobering,” Buckland told Information Age.

“It’s the minimum thing people should be doing.

“The temptation is to find a worker and blame them – to say it’s human error.

“But really this was a company failure and a poor culture allowed these individual human errors to lead to catastrophic results.”

According to the OAIC report, in August 2022 an employee of a Medibank contractor saved his Medibank username and password to his personal internet browser profile on a work computer.

When this worker then signed into his internet browser profile on his personal computer, these credentials were synced across.

These credentials provided access to most, if not all, of Medibank’s systems.

Threat actors then stole these credentials from the worker’s personal computer using a malware variant and used them to log into Medibank’s Microsoft Exchange server as a test, according to OAIC.

Two weeks later, these credentials were used to log into Medibank’s Global Protect VPN solution, which it used to control remote access to its corporate network.

The malicious actor was able to do this using just the credentials as “access to Medibank’s Global Protect VPN did not require two or more proofs of identity of multi-factor authentication”.

“Rather, Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password, was required,” the OAIC document said.

The hackers were then able to steal about 520GB of data, including the personal information of 9.7 million Medibank customers.

‘Absolute minimum’ of cyber security

Multi-factor authentication is commonly regarded as a key cyber security mitigation measure and is one of the Australian Signals Directorate’s Essential Eight strategies.

Cyber security expert and Have I Been Pwned founder Troy Hunt said multi-factor authentication “should be viewed as an absolute minimum requirement”.

“There’s a very long tail of organisations that haven’t yet adopted 2FA across the board, so I’m not surprised to hear this finding about Medibank,” Hunt told Information Age.

“Whilst there appears to have been other security failures that contributed to this attack, the whole point of a second factor is to ensure incidents like this can’t occur when a single factor is compromised.”

OAIC said there were “deficiencies in the form and implementation of Medibank’s cyber security and information security framework”, including with its “failure to implement or properly configure information security controls of a basic or baseline nature or standard for an organisation of Medibank’s size”.

“Medibank’s failure to take reasonable steps commensurate with protecting the personal and sensitive information it held, exposed that information to the risk of misuse, unauthorised access and / or disclosure,” OAIC told the court.

Forewarnings

OAIC also revealed that Medibank was repeatedly warned of the risks associated with its lack of multi-factor authentication in a number of reports prior to the devastating cyber incident.

A report by Datacom into Medibank’s cyber security in mid-2020 identified the lack of multi-factor authentication as a “critical defect”, finding it was not activated for privileged and non-privileged users.

A report by KPMG in August 2021 also found that it was not in place for privileged users when accessing particular systems.

Buckland said that the Medibank incident should be a wake-up call to Australian businesses to prioritise cyber security.

“I hope this isn’t indicative of the level of focus businesses across Australia are putting on IT,” he said.

“[But] my sneaking suspicion is this is just the tip of the iceberg and we’re really seeing that companies have not yet fully switched to thinking about cyber risk as the risk it is.

“There’s just too much complacency.”