A court filing by the Australian Information Commissioner revealed how a hacker accessed the data of 9.7 million Medibank customers before publishing it on the dark web.
At some point before early August 2022, an external service desk contractor was granted administrator access to virtually the entire Medibank network, the first step in a series of events that would ultimately lead to a data breach that would affect almost 10 million Australians.
The Australian Information Commissioner (AIC) has revealed these details and more in a June 14 submission to the Federal Court of Australia, in which the AIC alleges that Medibank “additionally or repeatedly interfered with the privacy of approximately 9.7 million people (including current ones). and former Medibank clients), whose personal information he held, in violation of article 13G of the Privacy Act 1988”.
In a section titled “Significant Facts Giving Rise to the Claim,” the AIC then presents a forensic timeline of the events leading up to the data breach, including the steps it alleges Medibank failed to take to protect its data.
The roots of the incident occurred sometime before August 7, 2022, when the service desk contractor received standard and administrator access to the Medibank network. That’s when the contractor saved his login credentials to his personal browser on his work computer, which was then synced to his personal computer shortly after.
According to the AIC filing, “the administrator account had access to most (if not all) Medibank systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases).
Those credentials were then stolen sometime around August 7 by a threat actor using a “malware variant” that is redacted in the court document, along with other technical details.
Then, on August 12, the hacker used those credentials to test his access to Medibank’s Microsoft Exchange server. Nearly two weeks later, around August 23, the hacker was able to “authenticate and log in” to the company’s “Global Protect” VPN, allowing them to execute a “type of malicious script commonly used by threat actors.” “.
The AIC claims that this access was only possible due to Medibank’s lack of cybersecurity preparedness. At the time, according to the document, Medibank’s VPN was not configured for multi-factor authentication, nor did it require “two or more proofs of identity”; all the threat actor needed to access the network were the stolen credentials.
Most alarmingly, the document reveals that Medibank’s security software detected the intrusion, but was not properly followed up at the time.
“On or about August 24 and 25, 2022, Medibank’s Endpoint Detection and Response (EDR) security software [REDACTED] generated several alerts in relation to the threat actor’s activity which were sent to a Medibank IT Security Operations email address,” the AIC said.
“These alerts were not appropriately classified or escalated.”
Because of this, according to the AIC, the threat actor had access to Medibank’s internal data for more than a month, from August 25 to October 13. During this time, they were able to exfiltrate 520 gigabytes of personal data, including “names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health-related information, and claims data.”
Claims data included patient details such as procedures and diagnoses.
It was not until October 11 that Medibank and its incident response partner, Threat Intelligence, began responding to the ongoing data breach. A Threat Intelligence analyst observed “a number of suspicious volumes of data leaked from the Medibank network” on October 16, the first time Medibank became aware that customer data had been compromised.
The hacker contacted Medibank on October 19 and 22 and provided the insurer with evidence of the attack. Then, between November 9 and December 1, 2022, the hacker posted the stolen data on the dark web.
The AIC noted in its presentation that under the Privacy LawMedibank, as an entity based on the Australian Privacy Principle, was responsible for safeguarding the personal information it held.
“Medibank failed to take this principle into account during the relevant period as it failed to adequately manage cybersecurity and/or information security risk in a manner consistent with the nature and volume of personal information it held (which included sensitive information, such as information about the race, ethnicity and health information of its customers), its size and the risk profile of the organizations operating within its sector,” the AIC alleged.
“Medibank did not invest sufficiently in specialized cybersecurity and/or information security resources or in the policies, practices and controls reasonably necessary to protect the personal information it held.”