Medibank's failure to implement multi-factor authentication (MFA) could have led to the data breach that exposed the personal information of 9.7 million customers.

New allegations by the Australian privacy regulator, revealed in court documents [PDF], suggest that the insurer's network security relied solely on usernames and passwords, a configuration that facilitated unauthorised access by hackers.

The cyberattack, which compromised sensitive information of 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers, led to the publication of personal data on the dark web. 

This included intimate details such as pregnancy terminations, described by Medibank CEO David Koczkar as “disgraceful”. 

Medibank initially attributed the breach to a third-party contractor and a misconfigured firewall. 

However, the court case, spearheaded by the Office of the Australian Information Commissioner (OAIC), has revealed a more complex scenario involving multiple cybersecurity lapses.

The OAIC alleges that an IT service desk operator saved his Medibank credentials, including admin access, to his personal internet browser profile. 

When his personal computer was compromised by malware on August 7, 2022, these credentials were stolen by a hacker. 

The hacker tested these credentials by logging into Medibank's email server and later gained remote access via Medibank's Global Protect VPN, which did not require MFA.

According to the OAIC, the hacker’s activity was detected but not adequately triaged or escalated, allowing the hacker to remain within Medibank’s network for nearly two months. During this period, approximately 520GB of personal data was exfiltrated.

The OAIC points out that Medibank was repeatedly warned about its cybersecurity vulnerabilities. 

Reports by KPMG and Datacom in 2021 and 2020 allegedly identified the absence of MFA as a “critical” issue. 

Despite these warnings, Medibank is accused of failing to implement MFA, which the OAIC claims is a reasonable step to protect customer data.

Reports say Medibank's internal audits also highlighted significant cybersecurity deficiencies. 

These included weak password requirements and the lack of implementation of controls to identify gaps in compliance with information security standards set by the Australian Prudential Regulation Authority.

An ongoing Federal Court case accuses Medibank of serious interference with the privacy of approximately 9.7 million individuals, each contravention potentially attracting a maximum fine of $2.22 million. 

The privacy regulator argues that Medibank’s negligence exposed its customers to emotional distress, identity theft, extortion, and financial crime.

The government has identified Aleksandr Gennadievich Ermakov, a 33-year-old Russian IT worker linked to the notorious REvil cybercrime gang, as responsible for the hack. 

REvil has a history of extensive ransomware activities, having targeted 175,000 computers worldwide to amass over $200 million in ransoms.

Medibank, which has increased its revenue and gross profit to $7.1 billion and $727.1 million respectively in the year following the hack, intends to “defend the proceedings”.