Australian regulators have revealed that a significant breach at Medibank, involving the exposure of data belonging to 9.7 million individuals, was facilitated by the absence of multifactor authentication (MFA) on the company's global VPN. The breach occurred in 2022 when a threat actor used stolen credentials from an IT services desk contractor to access Medibank's IT systems.
The compromised data, subsequently published on the dark web, included sensitive information such as names, birthdates, genders, Australian Medicare numbers, addresses, email addresses, phone numbers, visa details for international customers, and health claims data. This breach underscores serious shortcomings in Medibank's cybersecurity measures, particularly regarding the protection of personal information.
According to Australia's information commissioner, from March 12, 2021, to October 13, 2022, Medibank failed to adequately safeguard the personal information of its customers, breaching Australian Privacy Principle 11.1, which mandates reasonable steps to secure personal data from unauthorized access or disclosure.
The regulator has initiated legal action seeking substantial financial penalties against Medibank, citing the insurer's awareness of significant cybersecurity deficiencies during the period of the breach. Despite generating $7.1 billion in revenue and employing nearly 3,300 staff in 2022, Medibank's cybersecurity measures, including an IT security team of 13 and an annual IT budget of $4-5 million, with $1 million allocated for cybersecurity, were found inadequate.
While the court filings do not name the specific threat actor involved, earlier sanctions imposed by Australia, the U.S., and the U.K. targeted a Russian national allegedly linked to the Medibank breach. The breach was facilitated when credentials stored on a personal work computer of a third-party contractor were compromised through malware.
The breach timeline reveals that from August 7 to October 23, 2022, the threat actor utilized the stolen credentials to access various Medibank IT systems, exfiltrating 520 gigabytes of sensitive data. During this period, Medibank's VPN lacked MFA, allowing the threat actor to log in using stolen credentials without additional identity verification.
The incident highlights a common vulnerability in the healthcare sector, where lapses in implementing MFA have led to numerous breaches. Regulatory bodies are increasingly advocating for stronger cybersecurity practices, including mandatory MFA implementation, to mitigate such risks.
As the healthcare sector faces mounting cybersecurity challenges, including complex IT environments and resistance to security controls, experts stress the importance of comprehensive risk management and regulatory compliance to safeguard sensitive patient information.
Medibank has not responded to requests for comment on the legal proceedings initiated by the information commissioner regarding the breach and regulatory violations.