Security News > 2024 > June > Scathing report on Medibank cyberattack highlights unenforced MFA
A scathing report by Australia's Information Commissioner details how misconfigurations and missed alerts allowed a hacker to breach Medibank and steal data from over 9 million people.
In October 2022, Australian health insurance provider Medibank disclosed that it had suffered a cyberattack that disrupted the company's operations.
According to the report, it all started with a Medibank contractor using his personal browser profile on his work computer and saving his Medibank credentials in the browser.
The report states that Medibank failed to protect users' data as it had not enforced multi-factor authentication on VPN credentials and allowed anyone with access to the credentials to log into the device.
"The threat actor was able to authenticate and log onto Medibank's Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank's Global Protect VPN did not require two or more proofs of identity or multi-factor authentication. Rather, Medibank's Global Protect VPN was configured so that only a device certificate, or a username and password, was required," continued the report.
It wasn't until mid-October, when Medibank brought in a threat intelligence firm to investigate a Microsoft Exchange ProxyNotShell incident, that they discovered data was previously stolen in the cyberattack.