Information Commissioner publishes concise statement in its civil penalty proceeding against Medibank Private

June 18, 2024 |

Yesterday the Australian Information Commissioner published its Concise statement in its civil penalty proceeding against Medibank Private. It has been reported in the ABC under the heading “The absence of multi-factor authentication led to the Medibank hack, regulator alleges.” The story has also been covered by the Guardian with Medibank’s lack of multi-factor authentication allowed hackers to infiltrate systems, regulator alleges.

The Commissioner has listed Important Facts as being:

  • For the financial years ending 30 June 2021, 2022, and 2023, Medibank generated revenue of approximately $6.9 billion, $7.1 billion, and $7.1 billion and annual profit before tax of $632.3 million, $560 million, and $727.1 million,respectively.
  • As at 30 June 2022, Medibank employed approximately 3,291 full time employees
  • the personal information collected and held by Medibank included:
    • names,
    • dates of birth,
    • home addresses,
    • phone numbers,
    • email addresses,
    • employment details,
      passport numbers,
    • Medicare numbers,
    • financial information
    • sensitive information such as:
    • sensitive information about customers’
      • race and ethnicity
      • illnesses,
      • disabilities or injuries,
      • health services
  • Prior to 7 August 2022 an IT Service Desk Operator who was an employee of a Medibank contractor had access to Medibank Admin Account using his Medibank Credentials.
  • the contractor saved his Medibank username and password (Medibank Credentials) to his personal internet browser profile on his work computer. When he subsequently signed into his internet browser profile on his personal computer, the Medibank Credentials were synced across to his personal computer
  • the the Admin Account had access to most (if not all) of Medibank’s systems, including:
    • network drives,
    • management consoles, and
    • remote desktop access to jump box servers (used to access certain Medibank directories and databases)
  • on or about 7 August 2022 the Medibank Credentials were stolen from the IT Service Desk Operator’s personal computer by a threat actor, commonly and better known as a hacker  using a variant of malware which is known to the parties but not publicly disclosed
  • on 12 August 2022, log onto Medibank’s Microsoft Exchange server and test the Medibank Credentials for the Admin Account
  • on or around 23 August 2022 the hacker authenticated and log onto Medibank’s “Global Protect”
    Virtual Private Network (VPN) solution (which controlled remote access to the Medibank corporate network) & began typing malicious script
  • the hacker actor was able to authenticate and log onto Medibank’s Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank’s Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA). Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required
  • on 25 and 25 August 2022 Medibank’s Endpoint Detection and Response (EDR) Security Software sent alerts the hacker’s activities  to a Medibank IT Security Operations email address. These alerts were not appropriately triaged or escalated by either Medibank or its service provider, Orro, at that time.
  • from 25 August 2022 until around 13 October 2022 the hacker used Medibank Credentials to access numerous Medibank IT systems and exfiltrated 520 gigabytes of data including names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health related information and claims data (such as patient names, provider names, primary/secondary diagnosis and procedure codes, treatment dates).
  • On 11 October 2022, Medibank:
    • triaged a high severity incident for a alert that identified modification of files needed to exploit the “ProxyNotShell” vulnerability.
    •  engaged Threat Intelligence, its existing digital forensics and incident response partner, to perform an incident response investigation.
  • Until at least 16 October 2022, when a Threat Intelligence analyst noted that there had been a series of suspicious volumes of data exfiltrated out of Medibank’s network, Medibank was not aware that customer data had been accessed
  • on 19 and 22 October 2022 respectively, Medibank was contacted by the hacker and provided with files containing sample data that had been exfiltrated from Medibank’s systems
  • Between 9 November 2022 and 1 December 2022, the hacker published data exfiltrated during the data breach on the dark web.

The proceeding

  • the proceeding is brought under section 13(1)G of the Privacy Act
  • the acts which are alleged to constituted serious interferences with privacy of an individual are:
    • the nature of the deficiencies in Medibank’s cybersecurity and information security framework, including Medibank’s failure to implement or properly configure information security controls of a basic or baseline nature or standard for an organisation of Medibank’s size and in light of the volume and sensitivity of the personal information it held
    • the nature of the personal information involved in the contravention, which included sensitive information such as health information and information about the individual’s race and ethnicity
    • the consequences of the contravention, including the exposure of the individual to harm including potential emotional distress and the material risk of identity theft, extortion, and financial crime
  • Medibank’s awareness of the deficiencies in its cyber security and information security framework is based on:
    • A report of a penetration test of Medibank’s OSHC web environment by Threat Intelligence dated 26 March 2018 identified weaknesses in Medibank’s cybersecurity framework, including
      insecure or weak password requirements for accessing its systems. Further penetration test reports provided by Threat Intelligence in September 2018 and November 2020 in relation to
      different environments identified similar deficiencies regarding insecure or weak password requirements.
    • An internal audit report provided by KPMG in or around May 2020 in relation to Medibank’s compliance with APRA CPS 234 assessed Medibank’s overall maturity control rating against CPS 234 as ‘Developing’ and identified a key focus area should be enhancing its processes for
      assessing the information security capabilities of third parties managing Medibank information assets.
    • An Active Directory Risk Assessment report provided by Datacom on or around 27 June 2020 identified that Medibank had an excessive number of individuals who had access to Active Directory (being the Microsoft directory service used for management of all Medibank users, group policies and domains), a number of individuals had been given excessive privileges to perform simple daily routines, and that MFA had not been enabled for privileged and nonprivileged users which was described as a “critical” defect.
    • An information security internal audit report provided by KPMG in or around August 2021, which assessed the design and effectiveness of a selection of Medibank’s key information security controls supporting 4 of the E8 strategies, including MFA, and the implementation of controls against E8 strategies for key IT assets, identified that MFA had not been implemented for privileged users when accessing particular systems, backend portals, or supporting servers.
    • An internal Medibank presentation prepared in around February 2022 in relation to work being undertaken to identify gaps in Medibank’s compliance with CPS 234, identified that a set of security controls and a control review process and timeline for conducting the review had been prepared in 2020, but never implemented.
    • In or around July 2022, an internal audit report prepared by KPMG, or alternatively by Medibank, assessing the design and operating effectiveness of a sample of the 32 E8 Maturity Level 3 controls across the E8 mitigation strategies assessed Medibank’s controls that were in scope for the audit as aligned to either Maturity Level Zero, Level 1 or Level 2. The internal audit report identified that vulnerability scanning of workstations was only being done on a representative sample of workstations, that security event monitoring should be uplifted to include unsuccessful MFA attempts, and that application control software was not in place for all servers and workstations.
    • On or around 31 August 2022, a report prepared by PricewaterhouseCoopers in relation to an independent limited assurance assessment of the design, description, and operative effectiveness of Medibank’s information security controls in the period 1 June 2021 to 31 May 2022 identified deficiencies in relation to, inter alia, the testing of third-party information security controls.

Disappointingly the Concise statement has blacked out the allegations of how Medibank failed to protect personal information.  That information will be part of evidence and probably in open court.  There is not much a public policy argument for excising that information.  A long read of most editions of Bleeping Computer and any other IT and cyber security publications would provide an in depth understanding of how hackers behave and the inadequacies of sites that are successfully attacked. It is not likely that a hacker could do the same thing, in the same way, to Medibank than has already occurred.  Or one would hope so.

The ABC story provides:

The private Australian health insurer Medibank did not have multi factor authentication protections on its private network when it was successfully hacked, new court filings allege.

The Office of the Australian Information Commissioner (OAIC) alleges a lack of multi factor authentication at Medibank led to the 2022 data hack of nearly 9.7 million current and previous customers.

Documents filed to the Federal Court on Monday by the OAIC allege the massive data breach stemmed from an employee of a Medibank contractor, an IT service desk operator, who saved his login details to a personal web browser installed on his work computer.

When he then signed into his internet browser on his personal computer, the credentials were synced to that device.

Those details were then stolen from his personal computer on or around August 7, 2022, with malware, and the thief was then able to access Medibank’s Microsoft Exchange Server and virtual private network (VPN).

“Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA),” the court documents said.

“Rather, Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required.”

The hack led to the personal details, including names, addresses, Medicare numbers health information and financial information of past and present Medibank and ahm customers being published on the dark web.

The OAIC is alleging Medibank breached sections of the Privacy Act by not taking enough steps to protect the sensitive information it held about its customers.

In 2018 and 2020, Medibank was made aware of weaknesses and vulnerabilities in its cyber security, including “deficiencies regarding insecure or weak password requirements”.

A separate report by Datacom in 2020 found a “number of individuals had been given excessive privileges to perform simple daily routines, and that MFA had not been enabled for privileged and non-privileged users which was described as a ‘critical’ defect”.

Richard Buckland, a cyber security expert at the University of NSW, describes the allegations in the filing documents as “just shocking”.

He says the login details allegedly accessed from a synched IT worker’s personal computer appears to just be the “proximate cause” of what happened next.

“It shouldn’t have led to such a catastrophic chain of events,” he says.

He says the filings allege there was “audit after audit” on Medibank’s cybersecurity systems and “deficiencies in their systems” that allowed hackers to get into them.

“It’s no surprise the regulator is outraged and reacting so vigorously.”

Big potential fines

Each contravention comes with a maximum penalty of $2.22 million.

The commissioner is alleging a contravention for each of the 9.7 million customers, which works out to a potential maximum fine of more than $21 trillion.

It will be up to the Federal Court whether any fines are applied.

Changes to the Privacy Act in late 2022 set the maximum fine a company could receive at $50 million or 30 per cent of its turnover during the period of the breach, whichever was greater.

However, the Medibank breach occurred before those new laws were in place and is subject to the old penalties.

Medibank declined to comment.

Medibank’s alleged failures to heed warnings and take appropriate steps to improve cyber security are typical of many organisations, large and small.  There is an epidemic of box ticking, commissioning pen testing, doing audits and reviews and then filing the reports and results away for further consideration when the organisation has more time and money to consider it.  It is a depressingly familiar story that I see quite regularly.

Leave a Reply