The Office of the Australian Information Commissioner (OAIC) has alleged that Medibank Private was aware of significant shortcomings in its cybersecurity practices and information security frameworks before a major data breach occurred. This breach led to cybercriminals obtaining the personal details of 9.7 million customers, making it one of the largest privacy breaches in Australian history. The OAIC's allegations suggest that Medibank Private had foreknowledge of potential vulnerabilities but failed to adequately address them, resulting in a significant breach of customer data. The incident underscores the importance of robust cybersecurity measures and the potential consequences of failing to address known vulnerabilities.

In its concise statement dated 14 June and submitted the court this week, the Australian Information Commissioner said between 12 March 2021 and 13 October 2022, Medibank had repeatedly interfered with the privacy of approximately 9.7m individuals due to its use of personal information collected and held. This included information such as date of birth, home addresses, phone numbers, email addresses, employment details, passport numbers, Medicare numbers, financial information, plus sensitive information about Medibank's customers' race and ethnicity and health information such as information about any illnesses, disabilities or injuries, health services provided to the individual and health claims data.

During this time period, the Commissioner has alleged Medibank was "aware of serious deficiencies in its cybersecurity and information security framework" and has supplied several documents to back up its claim. According to the statement, one of the trigger points to the data breach was Medibank's use of an IT service desk contractor via a third-party IT contracting firm, who saved Medibank username and password details for several accounts to his personal internet browser profile on a computer used to provide IT services to the organisation. This included admin-level account permissions, giving the worker access to network drivers, management consoles and remote desktop access to jump box servers used to access certain Medibank directories and databases.

The OAIC stated these details were stolen on 7 August 2022 by a threat actor via malware, who was then able to test credentials, authenticate and log onto Medibank's global VPN solution controlling its corporate network, add in a malicious script on or around 23 August 2022 and then proceed to obtain a copy of sensitive data from its network.

In all, the threat actor took about 520 gigabytes of personally sensitive and identifier data from Medibank's systems.

As well as the password protection and use management failures plus lack of appropriate escalation steps, the OAIC has noted one of the biggest potential gaps at Medibank was a lack of multi-factor authentication (MFA) in place, which would have potentially prevented such malicious access from occurring.

It gets worse. The OAIC has also alleged triggered alerts from the activity on or around 24-25 August that were sent to a Medibank IT security operations email address were neither appropriately triaged or escalated either by Medibank staff or its service provider, Orro, at that time. Several further alerts generated were also not triaged or escalated, the OAIC alleged.

In fact, it took until 11 October, when Medibank's security operations team triaged a high severity incident via an alert and noted vulnerability, that a digital forensics and incident response partner was brought in and an investigation launched, the OAIC statement reads.

As was reported in the immediate aftermath of the incident, the malicious actor subsequently published data extracted from Medibank's systems on the dark web between 9 November and 1 December 2022.

"Medibank's failure to take reasonable steps commensurate with protecting the personal and sensitive information it held, exposed that information to the risk of misuse, unauthorised access and/or disclosure. That risk materialised when Medibank was the subject of a cyberattack and one or more threat actors accessed personal identifying information and health information and posted this information on the dark web, exposing approximately 9.7 million individuals to the risk of harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime," the OAIC said in its statement. According to the document, Medibank's FY22 information technology budget was approximately $4-5 million, of which $1 million was allocated for cybersecurity. Its core IT security function comprised of 13 full-time IT security professionals.

In a statement, Orro noted its inclusion as part of the federal court filing of the Australian Information Commissioner against Medibank and confirm it was "briefly engaged" for a short -term pilot program which was still in the implementation stage when the 2022 cyber breaches occurred.

"This was for a very limited scope and Orro was not engaged by Medibank at the relevant time to provide broader managed IT or security services. Under this arrangement, we had limited access to Medibank's security controls and were not responsible for broader incident response activities," the company stated. 

- Additional reporting by Nadia Cameron