Inside the Medibank hack: Stolen credentials, no MFA, and a slow response allegedly to blame

Sometime before early August of 2022, a third-party service desk contractor was given admin access to practically the entire Medibank network – the first step in a series of events that would ultimately lead to a data breach impacting nearly 10 million Australians.

The Australian Information Commissioner (AIC) has revealed these details and more in a 14 June filing to the Federal Court of Australia, in which the AIC alleges that Medibank “further or alternatively repeatedly, interfered with the privacy of approximately 9.7 million individuals (comprising current and former Medibank customers), whose personal information it held, in contravention of s 13G of the Privacy Act 1988”.

Under a section titled “Important facts giving rise to the claim”, the AIC then lays out a forensic timeline of events leading up to the data breach, including the steps it alleges Medibank failed to take to secure its data.

The roots of the incident occurred sometime before 7 August 2022, when the service desk contractor was given both standard and admin access to Medibank’s network. It was then that the contractor saved his login credentials on his personal browser on his work computer, which was later synced to his personal computer soon after.

According to the AIC filing, “the admin account had access to most (if not all) of Medibank’s systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases)”.

Those credentials were then stolen at some point around 7 August by a threat actor using a “variant of malware” that is redacted in the court document, alongside other technical details.

Then, on 12 August, the hacker used those credentials to test their access to Medibank’s Microsoft Exchange server. Nearly two weeks later, around 23 August, the hacker was able to “authenticate and log onto” the company’s “Global Protect” VPN, allowing them to run a “type of malicious script commonly used by threat actors”.

The AIC asserts that this access was only possible because of Medibank’s lack of cyber security preparedness. At the time, the filing states, Medibank’s VPN was not configured for multifactor authentication, nor did it require “two or more proofs of identity” – all that was needed for the threat actor to access the network were the stolen credentials.

VIEW ALL

More alarmingly, the filing reveals that Medibank’s security software spotted the intrusion – but it wasn’t adequately followed up at the time.

“On or around 24 and 25 August 2022, Medibank’s Endpoint Detection and Response (EDR) Security Software [REDACTED] generated various alerts in relation to the threat actor’s activity that were sent to a Medibank IT Security Operations email address,” the AIC said.

“These alerts were not appropriately triaged or escalated.”

Because of this, according to the AIC, the threat actor had access to Medibank’s internal data for more than a month, from 25 August to 13 October. During this time, they were able to exfiltrate 520 gigabytes of personal data, including “names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health-related information and claims data.

The claims data featured patient details such as procedures and diagnoses.

It wasn’t until 11 October that Medibank and its incident response partner, Threat Intelligence, began to respond to the ongoing data breach. A Threat Intelligence analyst noted “a series of suspicious volumes of data exfiltrated out of Medibank’s network” on 16 October, the first time Medibank had become aware that customer data had been compromised.

The hacker contacted Medibank on 19 and 22 October, providing the insurer with evidence of the hack. Then, between 9 November and 1 December 2022, the hacker published the stolen data on the dark web.

The AIC noted in its filing that under the Privacy Act, Medibank – as an Australian Privacy Principle entity – was responsible for safeguarding the personal information it held.

“Medibank did not have regard to this principle throughout the relevant period, in that it failed adequately to manage cyber security and/or information security risk congruent with the nature and volume of personal information it held (which included sensitive information, such as information about its customers’ race and ethnicity and health information), its size, and the risk profile of organisations operating within its sector,” the AIC alleged.

“Medibank did not invest sufficiently in the specialist cyber security and/or information security resources or the policies, practices and controls reasonably required to protect the personal information it held.”

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.