The private Australian health insurer Medibank did not have multi factor authentication protections on its private network when it was successfully hacked, new court filings allege.
The Office of the Australian Information Commissioner (OAIC) alleges a lack of multi factor authentication at Medibank led to the 2022 data hack of nearly 9.7 million current and previous customers.
Documents filed to the Federal Court on Monday by the OAIC allege the massive data breach stemmed from an employee of a Medibank contractor, an IT service desk operator, who saved his login details to a personal web browser installed on his work computer.
When he then signed into his internet browser on his personal computer, the credentials were synced to that device.
Those details were then stolen from his personal computer on or around August 7, 2022, with malware, and the thief was then able to access Medibank’s Microsoft Exchange Server and virtual private network (VPN).
“Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA),” the court documents said.
“Rather, Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required.”
The hack led to the personal details, including names, addresses, Medicare numbers and financial information of past and present Medibank and ahm customers being published on the dark web.
The OAIC is alleging Medibank breached sections of the Privacy Act by not taking enough steps to protect the sensitive information it held about its customers.
In 2018 and 2020, Medibank was made aware of weaknesses and vulnerabilities in its cyber security, including “deficiencies regarding insecure or weak password requirements”.
A separate report by Datacom in 2020 found a “number of individuals had been given excessive privileges to perform simple daily routines, and that MFA had not been enabled for privileged and non-privileged users which was described as a ‘critical’ defect”.
Big potential fines
Each contravention comes with a maximum penalty of $2.22 million.
The commissioner is alleging a contravention for each of the 9.7 million customers, which works out to a potential maximum fine of more than $21 trillion.
It will be up to the Federal Court whether any fines are applied.
Changes to the Piracy Act in late 2022 capped the maximum fine a company could receive at $50 million, but the date of the breach allows the commissioner to sue Medibank under the previous rules.
Medibank was contacted for comment.