Two weeks after Australia’s privacy watchdog initiated legal action against Medibank for failing to safeguard citizens’ personal information during a 2022 data breach, the Information Commissioner’s office has released a detailed analysis of the security lapses that led to the incident.
Medibank, a prominent health insurance provider in Australia, suffered a significant cyberattack in October 2022, compromising the personal data of 9.7 million current and former customers.
According to the report from the Office of the Australian Information Commissioner (OAIC), the breach was likely facilitated by critical cybersecurity deficiencies, such as the absence of multi-factor authentication (MFA) for accessing its VPN. This oversight made it easier for attackers to exploit compromised credentials.
Sequence of Events in the Medibank Breach
The breach at Medibank originated when an IT service desk operator, using personal browser settings on a work computer, inadvertently synchronized their Medibank credentials to a home device infected with information-stealing malware. This allowed hackers to obtain these credentials, including those with elevated privileges.
Using these credentials, the attackers initially breached Medibank’s Microsoft Exchange server on August 12, 2022, before gaining access to Medibank’s Palo Alto Networks Global Protect VPN. Notably, the VPN lacked MFA, thereby lowering the barrier for unauthorized access.
It wasn’t until mid-October that Medibank engaged a threat intelligence firm to investigate an incident involving Microsoft Exchange ProxyNotShell, which revealed previous data exfiltration due to the cyberattack.
Security Failures and Missed Alerts
Lack of Multi-Factor Authentication (MFA)
A critical lapse in Medibank’s security posture was the absence of MFA for VPN access. During the relevant period, the VPN allowed entry using only a device certificate or a username and password, lacking the additional security layer provided by MFA. This deficiency significantly facilitated unauthorized access.
Operational and Alert Management Failures
Despite receiving multiple security alerts from their Endpoint Detection and Response (EDR) system regarding suspicious activities on August 24 and 25, these alerts were not promptly addressed or escalated. This delay enabled the attackers to operate undetected for an extended period, culminating in the exfiltration of approximately 520 gigabytes of sensitive data from Medibank’s MARS Database and MPLFiler systems.
Data Compromised and Consequences
The stolen data included highly sensitive information such as customers’ personal details, Medicare numbers, passport information, and extensive health-related data. The exposure of such information poses severe risks to affected individuals, including identity theft and misuse of medical information for fraudulent activities.
The attackers, associated with the ransomware group BlogXX, subsequently leaked the data on the dark web. This incident not only caused widespread concern among Australians but also underscored the dire consequences of inadequate cybersecurity measures.
Legal and Regulatory Actions
The OAIC’s investigation revealed that Medibank was aware of significant security shortcomings prior to the breach, including findings from an Active Directory Risk Assessment in June 2020 that highlighted excessive user privileges and the absence of MFA for both privileged and non-privileged users.
Consequently, Australia’s data protection regulator announced legal proceedings against Medibank for failing to protect personal information adequately. The potential fines could exceed AU$2 million, reflecting the severity of the breach.
While Medibank has not disclosed its response to the lawsuit, it previously stated its intention to defend against the allegations.
Medibank Hacker Sanctioned and Arrested
Earlier this year, Aleksandr Gennadievich Ermakov, believed to be responsible for the Medibank hack, was sanctioned by the U.S., Australia, and the U.K. Subsequently, Ermakov was arrested by Russian authorities, along with two others, for violating laws related to harmful computer activities. However, extradition is unlikely due to current geopolitical tensions.
Lessons and Recommendations
The Medibank breach highlights several crucial lessons for organizations in enhancing cybersecurity:
- Implementation of Multi-Factor Authentication (MFA): Utilizing MFA across all access points, particularly VPNs, significantly enhances security by adding an additional layer of protection against credential theft.
- Proper Alert Management: Organizations must promptly triage and escalate security alerts to mitigate potential threats effectively.
- Regular Security Audits: Conducting routine security audits helps identify vulnerabilities and ensures compliance with cybersecurity best practices.
- Employee Training: Continuous education on cybersecurity practices is essential to minimize risks originating from human error, emphasizing responsible use of corporate credentials and safe online behaviors.
By addressing these areas, organizations can strengthen their defenses against cyber threats and safeguard sensitive information, ensuring resilience in an increasingly digital landscape.
Source: thecyberexpress.com
