Yahoo News Medibank’s lack of multi-factor authentication allowed hackers to infiltrate systems, regulator alleges
Medibank’s failure to require its workers to use multi-factor authentication is what allowed hackers to obtain the personal information of its customers, the Australian privacy regulator alleges in new court documents.
The hack on Medibank resulted in the personal details of 9.7 million current and former customers – including 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers – being published on the dark web.
While Medibank had previously blamed a third party contractor and a “misconfigured firewall” for the hack, a federal court case against the health insurer has revealed key details for the first time about how the hacker was able to get into its systems and steal customer information.
Related: Shadowy world of ransomware-for-hire revealed by online account activity linked to the Medibank hack
In a concise statement for the court case, the Office of the Australian Information Commissioner alleges one of Medibank’s IT service desk operators had saved his Medibank username and password for a number of Medibank accounts to his personal internet browser profile on his work computer. The contractor had a standard access account and an admin account, which had access to most of Medibank’s systems, including network drives.
The credentials were synced to his personal computer when he used the same internet browser profile.
The credentials were obtained by the hacker on 7 August 2022, after the IT worker’s personal computer was compromised by malware.
A few days later the hacker logged into Medibank’s email server to test the credentials. Nearly two weeks later the hacker was able to log into Medibank’s virtual private network (VPN), which allowed remote access to the company’s corporate network.
The OAIC alleges the hacker was only able to log into the network using the credentials because “access to Medibank’s Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA)”.
“Rather, Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required.”
Medibank’s system detected the hacker’s activity shortly after it occurred but these alerts were not appropriately triaged or escalated, the OAIC alleged, meaning the hacker was able to remain in the network for nearly two months between August and October 2022.
In that time, the hacker was able to obtain nearly 520GB of personal data, which was ultimately posted on the dark web.
Related: Medibank class action launched after massive hack put private information of millions on dark web
The regulator alleges Medibank should have been aware that the lack of multi-factor authentication was an issue, with two independent reports by KPMG and Datacom in 2021 and 2020 respectively warning that it was a “critical” defect that multi-factor authentication had not been enabled.
The OAIC alleges that enabling such authentication is just one of the reasonable steps the insurer could have taken to protect customer information. The case held its first case management hearing last week, with discovery expected to commence in July.
Medibank has been approached for comment.
The government named 33-year-old Aleksandr Gennadievich Ermakov, a Russian citizen, IT worker and alleged cybercriminal, in sanctions legislation in connection with the hack.
