[LINK] The Medibank data breach (9.7 million)

Roger Clarke Roger.Clarke at xamax.com.au
Thu Jun 20 02:32:00 AEST 2024


On 19/6/2024 08:04, Stephen Loosley wrote:
> Court docs reveal shocking cause of Medibank breach
> Health insurer was warned multiple times.
> By Denham Sadler on Jun 18 2024 12:36 PM
> https://ia.acs.org.au/article/2024/court-docs-reveal-shocking-cause-of-medibank-breach.html

My post on the privacy list is below.

[ Some clear information has emerged from the OAIC's action against 
Medibank, well-explained below.

[ Regrettably, even my esteemed UNSW colleague, Richard Buckland, hasn't 
gone the extra step and argued that OAIC must define baseline security 
requirements.

[ As it stands, each case will, like this one, have to be litigated at 
length, and survive barristers' endeavours to use the 
massively-loopholed Privacy Act to protect the guilty.  Defining 2FA as 
a requirement of all organisations (subject to a couple of provisos, 
because the world's a complex place) should obviate that need.

[ The first test-case - to establish that the Federal Court accepts OAIC 
is operating within its powers - would result in consent judgments 
thereafter, because contesting a fine would just be pouring good money 
down the sink.

[ OAIC is negligent in not having long ago defined that baseline (and 
sorry about the repetition of citations):
https://privacy.org.au/Papers/OAIC-InfoSecy-1301.pdf   (2013)
http://www.rogerclarke.com/DV/OAIC-ISGuide-130104.pdf  (2013)
https://www.rogerclarke.com/EC/SSACS.html#App2         (2015)
https://privacy.org.au/wp-content/uploads/2021/04/OAIC-SecGuide-210311.pdf 
      (2021)


Embedded comment:

 > According to the OAIC report, in August 2022 an employee of a 
Medibank contractor saved his Medibank username and password to his 
personal internet browser profile on a work computer.
 >
 > When this worker then signed into his internet browser profile on his 
personal computer, these credentials were synced across.
 >
 > These credentials provided access to most, if not all, of Medibank’s 
systems.
 >
 > Threat actors then stole these credentials from the worker’s personal 
computer using a malware variant and used them to log into Medibank’s 
Microsoft Exchange server as a test, according to OAIC.

[ So a contractor sufficiently specialised in IT security to be provided 
with the keys to the castle failed to protect the data on their own 
devices against "a malware variant".  A co-respondent may need to be 
drawn into the matter.  That's at least contributory negligence. ]

___________________


> The shocking cause of the Medibank breach has been revealed.
> 
> A lack of an “absolute bare minimum” cyber security requirement contributed to the devastating Medibank data breach, according to new court documents that also reveal the health insurer was aware of this “critical defect” for more than two years before the incident.
> 
> The Office of the Australian Information Commissioner (OAIC) has launched civil proceedings in the Federal Court against Medibank over the October 2022 data breach which saw the personal and highly sensitive information of 9.7 million current and former customers stolen and eventually posted on the dark web.
> 
> A document filed to court by the OAIC provides a brief overview of the case against Medibank, with the privacy watchdog alleging the company “seriously, further or alternatively repeatedly, interfered with the privacy of approximately 9.7 million individuals whose personal information it held” by failing to take reasonable steps to protect it, in breach of Australian law.
> 
> According to the OAIC, Medibank was “aware of serious deficiencies in its cyber security and information security framework” for at least 18 months before the breach.
> 
> First and foremost in these issues was the lack of multi-factor authentication, commonly regarded as one of the simplest and most basic measures to protect systems against cyber attacks and data breaches.
> 
> UNSW School of Computer Science and Engineering Professor in cybercrime Richard Buckland said the revelations in the report are “shocking” and that multi-factor authentication is a basic cyber mitigation measure.
> 
> “If all these assertions are true, it’s very sobering,” Buckland told Information Age.
> 
> “It’s the minimum thing people should be doing.
> 
> “The temptation is to find a worker and blame them – to say it’s human error.
> 
> “But really this was a company failure and a poor culture allowed these individual human errors to lead to catastrophic results.”
> 
> According to the OAIC report, in August 2022 an employee of a Medibank contractor saved his Medibank username and password to his personal internet browser profile on a work computer.
> 
> When this worker then signed into his internet browser profile on his personal computer, these credentials were synced across.
> 
> These credentials provided access to most, if not all, of Medibank’s systems.
> 
> Threat actors then stole these credentials from the worker’s personal computer using a malware variant and used them to log into Medibank’s Microsoft Exchange server as a test, according to OAIC.
> 
> Two weeks later, these credentials were used to log into Medibank’s Global Protect VPN solution, which it used to control remote access to its corporate network.
> 
> The malicious actor was able to do this using just the credentials as “access to Medibank’s Global Protect VPN did not require two or more proofs of identity of multi-factor authentication”.
> 
> “Rather, Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password, was required,” the OAIC document said.
> 
> The hackers were then able to steal about 520GB of data, including the personal information of 9.7 million Medibank customers.
> 
> ‘Absolute minimum’ of cyber security
> 
> Multi-factor authentication is commonly regarded as a key cyber security mitigation measure and is one of the Australian Signals Directorate’s Essential Eight strategies.
> 
> Cyber security expert and Have I Been Pwned founder Troy Hunt said multi-factor authentication “should be viewed as an absolute minimum requirement”.
> 
> “There’s a very long tail of organisations that haven’t yet adopted 2FA across the board, so I’m not surprised to hear this finding about Medibank,” Hunt told Information Age.
> 
> “Whilst there appears to have been other security failures that contributed to this attack, the whole point of a second factor is to ensure incidents like this can’t occur when a single factor is compromised.”
> 
> OAIC said there were “deficiencies in the form and implementation of Medibank’s cyber security and information security framework”, including with its “failure to implement or properly configure information security controls of a basic or baseline nature or standard for an organisation of Medibank’s size”.
> 
> “Medibank’s failure to take reasonable steps commensurate with protecting the personal and sensitive information it held, exposed that information to the risk of misuse, unauthorised access and / or disclosure,” OAIC told the court.
> 
> Forewarnings
> 
> OAIC also revealed that Medibank was repeatedly warned of the risks associated with its lack of multi-factor authentication in a number of reports prior to the devastating cyber incident.
> 
> A report by Datacom into Medibank’s cyber security in mid-2020 identified the lack of multi-factor authentication as a “critical defect”, finding it was not activated for privileged and non-privileged users.
> 
> A report by KPMG in August 2021 also found that it was not in place for privileged users when accessing particular systems.
> 
> Buckland said that the Medibank incident should be a wake-up call to Australian businesses to prioritise cyber security.
> 
> “I hope this isn’t indicative of the level of focus businesses across Australia are putting on IT,” he said.
> 
> “[But] my sneaking suspicion is this is just the tip of the iceberg and we’re really seeing that companies have not yet fully switched to thinking about cyber risk as the risk it is.
> 
> “There’s just too much complacency.”
> 
> 
> 
> DENHAM SADLER
> Denham Sadler is a freelance journalist based in Melbourne. He was previously Editor of StartupSmart, and writes on tech and politics. His work has been published in The Saturday Paper and The Guardian.
> 
> 
> _______________________________________________
> Link mailing list
> Link at anu.edu.au
> https://mailman.anu.edu.au/mailman/listinfo/link

-- 
Roger Clarke                            mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916   http://www.xamax.com.au  http://www.rogerclarke.com

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA 

Visiting Professorial Fellow                          UNSW Law & Justice
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list