Multifactor Authentication Could Have Prevented 9.7 Million-Record Medibank Data Breach
In 2022, a hacker breached the network of the Australian health insurance provider Medibank, obtained the personal and medical information of 9.7 million individuals, and released the stolen data on the dark web. It has now been confirmed that, like the ransomware attack on Change Healthcare, the attack could have been prevented if multifactor authentication had been implemented.
Medibank had previously stated that the breach was due to an error by a contractor and a misconfigured firewall; however, the Australian Information Commissioner (AIC) disclosed details of the security failures that led to the breach in a recent Australian Federal Court filing. According to the filing, the cyberattack started with the theft of the credentials of an IT service desk contractor, who had saved Medibank usernames and passwords for multiple accounts in his internet browser profile on his work computer, which he used to provide IT services to Medibank. The contractor subsequently used his personal computer to sign into his internet browser profile on his personal computer, and the credentials were synced to his personal computer.
The credentials included a standard access account and an admin account with higher privileges, with the latter providing access to most – if not all – Medibank systems including network drives, remote desktop access, and jump box servers that were used to access Medibank databases and directories. Unbeknownst to the contractor, malware had been installed on his personal computer that could harvest credentials, and on August 7, 2022, the contractor’s credentials were stolen. The threat actor used the stolen credentials to access Medibank’s Exchange Server on August 12, 2022 and also tested the credentials for the contractor’s admin account.
A few days later on August 23, 2022, the threat actor authenticated to the Medibank Global Protect Virtual Private Network which controlled remote access to the corporate network. From August 25, 2022, to October 23, 2022, the credentials were used to access various Medibank systems, including databases containing Medibank customers’ personal and health information. During that time, the threat actor exfiltrated around 520 gigabytes of data. The exfiltrated data included patient names, birthdates, gender, Medicare numbers, contact information, visa details for foreign workers and patients, diagnosis and procedure numbers, dates of treatment, claims data, and provider names, locations, and contact information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to the AIC, the breach could have been prevented if multifactor authentication had been enabled; however, even though the contractor had extensive admin privileges, Medibank’s Global Protect VPN only required a device certificate or a username/password to grant access. Medibank had security software in place that detected suspicious activity and generated alerts. The software sent alerts to a Medibank IT security operations email address but they were not triaged appropriately or escalated. Those alerts were first generated on August 24, 2022, the day before the threat actor used the credentials to access a swathe of Medibank systems from where a huge amount of data was subsequently exfiltrated. The threat actor remained in the network for 2 months before the intrusion was detected.
The AIC alleges that Medibank should have been aware of the lack of multifactor authentication and the security risk, as Medibank was given two reports in 2020 and 2021 warning that the lack of multifactor authentication was a critical security defect, first by KPMG and then by Datacom. The AIC alleges Medibank violated the Australian Privacy Act of 1988 by failing to take appropriate steps to protect the sensitive data it held and is seeking a substantial financial penalty.
The penalties for violations of the Privacy Act were updated in 2022 to $50 million, 3 times the value of any benefit obtained through the misuse of information, or 30% of adjusted turnover at the time of the breach, whichever is the greater. The breach occurred before those laws were enacted so the old penalties would apply. The old penalties are a maximum of $2.22 million per violation, and the AIC alleges that there has been a Privacy Act violation for each of the 9.7 million individuals affected by the breach. That means the maximum potential fine, if applied by the Federal Court, is more than $21 trillion ($13.97 trillion).
