Australian regulator blames lack of multi-factor authentication for Medibank hack

Australia's data protection regulator reveals in court documents that the 2022 attack on health insurance provider Medibank was likely caused by a lack of multi-factor authentication, allowing hackers to access the company's IT systems.

As a result of the Medibank hack, the attackers leaked and published on the dark web the personal data of 9.7 million current and former customers, including sensitive information about their illnesses, disabilities or injuries.

According to the report released this week by the Office of the Australian Information Commissioner (OAIC), the attack was likely caused because the company neglected basic cybersecurity measures, including requiring its workers to use multi-factor authentication to log onto its VPN.

Medibank failed “to take reasonable steps to protect the personal information from misuse, and unauthorized access or disclosure,” OAIC said.

Given the nature and the volume of the data Medibank stores and collects, and the risk of harm for an individual in the case of a breach, “it was reasonable” for the company to adopt the security measures recommended by Australia’s privacy regulator prior to the attack, according to court documents.

“These measures were not implemented, or, alternatively, not properly implemented or enforced, by Medibank,” OAIC said.

The Australian privacy watchdog said that prior to the hack, Medibank was aware “of serious deficiencies in its cybersecurity and information security.”

According to the report, the attack on Medibank is traced to an IT service desk operator for a contractor who used a personal browser profile on a work computer.

His credentials were then synced to his home computer, which hackers infected with information-stealing malware, obtaining access to all the saved passwords in his browser, including those that provided access to Medibank admin accounts.

In particular, the threat actor was able to authenticate and log on to Medibank’s Global Protect VPN using only the Medibank credentials because the company did not require two or more proofs of identity or multi-factor authentication, the report said.

Instead, Medibank’s Global Protect VPN was configured so that only a device certificate or a username and password were required to access it.

As the hackers were obtaining access to more systems, Medibank started receiving various alerts, which were not “appropriately triaged or escalated,” OAIC said. As a result of the attack, the threat actor was able to exfiltrate approximately 520 gigabytes of data from Medibank’s systems.

Australia’s regulators will take legal action against Medibank for failing to protect the medical data of millions of Australians. The company could face a potential fine of more than $21 trillion. Medibank said earlier in June that it intended to defend the proceedings.

The attack on Medibank was previously linked to a Russian national named Aleksandr Gennadievich Ermakov, who was sanctioned by Australia, the U.K. and the U.S.

Ermakov, also known by his aliases “Gustave Dore” and “blade_runner,” is believed to be part of the infamous Russian cybercrime group REvil — one of the most active ransomware gangs.

This was the first time the Australian government has identified a cybercriminal and imposed cyber sanctions of this kind. “It will not be the last,” said Clare O’Neil, the Australian minister for home affairs and cybersecurity.