Security News > 2024 > June > Medibank breach: Security failures revealed (lack of MFA among them)

The 2022 Medibank data breach / extortion attack perpetrated by the REvil ransomware group started by the attackers leveraging login credentials stolen from a private computer of an employee of a Medibank's IT contractor.

According to a statement by the Australian Information Commissioner filed with the Federal Court of Australia, the credentials were stolen by way of infostealer malware, after that employee "Saved his Medibank username and password for a number of Medibank accounts to his personal internet browser profile on the work computer he used to provide IT services to Medibank", and then signed into his internet browser profile on his personal computer.

The attackers used the compromised credentials for a standard access and an admin Medibank account to log onto Medibank's Microsoft Exchange server and authenticate and log onto Medibank's "Global Protect" VPN solution.

In the wake of the breach, the Office of the Australian Information Commissioner started an investigation to see whether Medibank - one of the largest private health insurance providers in the country - took "Reasonable steps" to protect their customers' data.

The specifics have been redacted, but the AIC said that Medibank "Failed adequately to manage cybersecurity and/or information security risk congruent with the nature and volume of personal information it held, its size, and the risk profile of organisations operating within its sector."

An appendix of the filing pointed out a number of measures Medibank should have adopted, including implementing multi-factor authentication for remote access users to the Global Protect VPN and to critical information assets once inside its network perimeter.

News URL

https://www.helpnetsecurity.com/2024/06/18/medibank-breach-security-failures/