Cyber security

Medibank data breach: third-party IT provider’s stolen credentials used by hackers

- March 2, 2023 2 MIN READ
Photo: AdobeStock

The hacker got credentials from a third-party IT provider.

Australian health insurer Medibank made a “rookie mistake” that led to one of the largest data breaches in our country’s history, a cyber security expert has claimed in the wake of new details about the breach.

In its half-yearly report, Medibank shared a brief outline of how the Russian-based attackers got access to personal details of all 9.7 million of its customers.

The health insurer said its systems were accessed “using a stolen Medibank username and password used by a third-party IT service provider.”

“The criminal used the stolen credentials to access Medibank’s network through a misconfigured firewall which did not require an additional digital security certificate,” the health insurer said.

“The criminal was able to obtain further usernames and passwords to gain access to a number of Medibank’s systems and their access was not contained.

Once inside, the attackers gained a trove of customer information which they used to try and extort Medibank, demanding a ransom which the company refused to pay.

The saga ended with the hackers dumping the full 5GB dataset online.

Louay Ghashash, chair of the Australian Computer Society’s (ACS) Cyber Security Committee, said it was a “rookie mistake” for Medibank to give a third party uncontrolled access to its systems.

“The fact they left this service provider running freely without checking its security practices and conducting user access reviews is a failure on Medibank’s part,” Ghashash told Information Age.

“Service providers needs to have security standards that are better than or equal to the customer’s standard but it’s up to the customers to make certain of that.”

Ghashash said it’s not uncommon for companies to share admin accounts with third-party providers who may need high-level access to their environment.

But this makes it near-impossible to enforce multi-factor authentication (MFA), creating a serious weakness in that company’s security.

“Service providers are often necessary but they can add elevated risk to a business, so you need to ensure you trust them,” he said.

“In some cases you need to audit the firm, send someone to validate their claims that they regularly patch their infrastructure, and see evidence that they are following the Essential Eight at a minimum.

For Medibank, the cost of failing to mitigate against the risk of a third party handing over high-level credentials to an attacker has already reached $26 million, though it expects that figure could be as high as $45 million by the end of the financial year.

And that’s excluding the potential “remediation, regulatory or litigation related costs” which might come from a class action lawsuit that has been launched against the insurer or fines from the Office of the Australian Information Commission (OAIC) which is investigating the breach.

Aaron Bugal, regional CTO with cyber security company Sophos, said “negligence has proven to be a complicit element” in cyber attacks

“Multifactor authentication could have negated the impact of stolen credentials, and while not impervious to a determined cyber criminal, it would have limited the ease with which they gained initial access,” he said.

On Wednesday, the OAIC published its latest notifiable data breaches report covering the July to December 2023.

In that period, the commissioner was notified of 497 breaches, most of which affected fewer than 100 people.

Of those breaches, 70% were attributed to criminal or malicious attacks, with 25% being caused by human error – such as personal information being emailed to the wrong recipient – and the remaining 5% a result of system faults.