Documents filed to the Federal Court show how cybercriminals were able to access the personal details of 9.7 million customers.
More details have been revealed in the Office of the Australian Information Commissioner’s case against Medibank over its massive data hack in 2022.
The OAIC alleges Medibank breached sections of the Privacy Act by not taking enough steps to protect the sensitive information it held about its customers.
Court documents have been released detailing the Office of the Australian Information Commissioner’s allegations against Medibank over its 2022 data hack, which impacted some 9.7 million past and former Medibank customers.
In it, the OAIC claims that the lack of multi-factor authentication on Medibank’s private network allowed the cybercriminals to access the insurance giant’s records and then publish personal information on the dark web.
The Federal Court can impose a civil penalty of up to $2.22 million for each contravention of section 13G (as per the penalty rate applicable from March 2021 to October 2022). If each customer represents a single breach, the company could face fines totalling $21.5 trillion, Health Services Daily reported earlier this month.
Victoria Police have linked more than 11,000 “cybercrime incidents” to the data breach, according to its submission to the Commonwealth Parliamentary Joint Committee Inquiry.
According to the Concise Statement filed in the Federal Court on 14 June, the OAIC alleges that, during 12 March 2021 to 13 October 2022, Medibank “seriously, further or alternatively repeatedly, interfered with the privacy of approximately 9.7 million individuals (comprising current and former Medibank customers), whose personal information it held, in contravention of s13G of the Privacy Act 1988 (Cth) (Act), by failing to take reasonable steps to protect that personal information from misuse, and/or from unauthorised access or disclosure, in breach of Australian Privacy Principle (APP) 11.1”.
Personal information collected and held by Medibank during that period included names, dates of birth, home addresses, phone numbers, email addresses, employment details, passport numbers, Medicare numbers and financial information.
“The personal information included sensitive information about Medibank’s customers’ race and ethnicity and health information such as information about any illnesses, disabilities or injuries, health services provided to the individual and health claims data,” the statement revealed.
According to the statement, the OAIC alleges the data breach stemmed from an IT service desk operator who was an employee of a Medibank contractor. During his employment he had access to “standard access and an elevated access” accounts.
The elevated access account gave the operator access to an admin account that had access to “most (if not all) of Medibank’s systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases)”.
“The operator had saved his login details to a personal web browser installed on his work computer,” the statement said.
On or around 7 August malware was used to access his personal computer and from there the cybercriminals were able to access Medibank’s Microsoft Exchange Server and virtual private network (VPN).
“The threat actor [cybercriminal] was able to authenticate and log onto Medibank’s Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank’s Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA),” the statement said.
“Rather, Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required.”
The court documents also reveal numerous reports were made about “serious deficiencies in its cybersecurity and information security framework”.
These included:
- A report of a penetration test of Medibank’s OSHC web environment by Threat Intelligence dated 26 March 2018 that identified weaknesses in Medibank’s cybersecurity framework, including insecure or weak password requirements for accessing its systems. Further penetration test reports provided by Threat Intelligence in September 2018 and November 2020 in relation to different environments identified similar deficiencies regarding insecure or weak password requirements.
- An internal audit report provided by KPMG in or around May 2020 in relation to Medibank’s compliance with APRA CPS 234 assessed Medibank’s overall maturity control rating against CPS 234 as ‘Developing’ and identified a key focus area should be enhancing its processes for assessing the information security capabilities of third parties managing Medibank information assets.
- An Active Directory Risk Assessment report provided by Datacom on or around 27 June 2020 identified that Medibank had an excessive number of individuals who had access to Active Directory (being the Microsoft directory service used for management of all Medibank users, group policies and domains), a number of individuals had been given excessive privileges to perform simple daily routines, and that MFA had not been enabled for privileged and non-privileged users which was described as a “critical” defect.
- An information security internal audit report provided by KPMG in or around August 2021, which assessed the design and effectiveness of a selection of Medibank’s key information security controls supporting 4 of the E8 strategies, including MFA, and the implementation of controls against E8 strategies for key IT assets, identified that MFA had not been implemented for privileged users when accessing particular systems, backend portals, or supporting servers.
- An internal Medibank presentation prepared in around February 2022 in relation to work being undertaken to identify gaps in Medibank’s compliance with CPS 234 identified that a set of security controls and a control review process and timeline for conducting the review had been prepared in 2020, but never implemented.
- In or around July 2022, an internal audit report prepared by KPMG, or alternatively by Medibank, assessing the design and operating effectiveness of a sample of the 32 E8 Maturity Level 3 controls across the E8 mitigation strategies assessed Medibank’s controls that were in scope for the audit as aligned to either Maturity Level Zero, Level 1 or Level 2. The internal audit report identified that vulnerability scanning of workstations was only being done on a representative sample of workstations, that security event monitoring should be uplifted to include unsuccessful MFA attempts, and that application control software was not in place for all servers and workstations.
- On or around 31 August 2022, a report prepared by PricewaterhouseCoopers in relation to an independent limited assurance assessment of the design, description, and operative effectiveness of Medibank’s information security controls in the period 1 June 2021 to 31 May 2022 identified deficiencies in relation to, inter alia, the testing of third-party information security controls.
Medibank has said in a statement it intends to defend the proceedings. The full Concise Statement lodged to the Federal Court is available here.