On 19/6/2024 08:04, Stephen Loosley wrote:
Court docs reveal shocking cause of Medibank breach
Health insurer was warned multiple times.
By Denham Sadler on Jun 18 2024 12:36 PM
https://ia.acs.org.au/article/2024/court-docs-reveal-shocking-cause-of-medibank-breach.html
My post on the privacy list is below.
[ Some clear information has emerged from the OAIC's action against
Medibank, well-explained below.
[ Regrettably, even my esteemed UNSW colleague, Richard Buckland, hasn't
gone the extra step and argued that OAIC must define baseline security
requirements.
[ As it stands, each case will, like this one, have to be litigated at
length, and survive barristers' endeavours to use the
massively-loopholed Privacy Act to protect the guilty. Defining 2FA as
a requirement of all organisations (subject to a couple of provisos,
because the world's a complex place) should obviate that need.
[ The first test-case - to establish that the Federal Court accepts OAIC
is operating within its powers - would result in consent judgments
thereafter, because contesting a fine would just be pouring good money
down the sink.
[ OAIC is negligent in not having long ago defined that baseline (and
sorry about the repetition of citations):
https://privacy.org.au/Papers/OAIC-InfoSecy-1301.pdf (2013)
http://www.rogerclarke.com/DV/OAIC-ISGuide-130104.pdf (2013)
https://www.rogerclarke.com/EC/SSACS.html#App2 (2015)
https://privacy.org.au/wp-content/uploads/2021/04/OAIC-SecGuide-210311.pdf
(2021)
Embedded comment:
> According to the OAIC report, in August 2022 an employee of a
Medibank contractor saved his Medibank username and password to his
personal internet browser profile on a work computer.
>
> When this worker then signed into his internet browser profile on his
personal computer, these credentials were synced across.
>
> These credentials provided access to most, if not all, of Medibank’s
systems.
>
> Threat actors then stole these credentials from the worker’s personal
computer using a malware variant and used them to log into Medibank’s
Microsoft Exchange server as a test, according to OAIC.
[ So a contractor sufficiently specialised in IT security to be provided
with the keys to the castle failed to protect the data on their own
devices against "a malware variant". A co-respondent may need to be
drawn into the matter. That's at least contributory negligence. ]
___________________
The shocking cause of the Medibank breach has been revealed.
A lack of an “absolute bare minimum” cyber security requirement contributed to
the devastating Medibank data breach, according to new court documents that
also reveal the health insurer was aware of this “critical defect” for more
than two years before the incident.
The Office of the Australian Information Commissioner (OAIC) has launched civil
proceedings in the Federal Court against Medibank over the October 2022 data
breach which saw the personal and highly sensitive information of 9.7 million
current and former customers stolen and eventually posted on the dark web.
A document filed to court by the OAIC provides a brief overview of the case
against Medibank, with the privacy watchdog alleging the company “seriously,
further or alternatively repeatedly, interfered with the privacy of
approximately 9.7 million individuals whose personal information it held” by
failing to take reasonable steps to protect it, in breach of Australian law.
According to the OAIC, Medibank was “aware of serious deficiencies in its cyber
security and information security framework” for at least 18 months before the
breach.
First and foremost in these issues was the lack of multi-factor authentication,
commonly regarded as one of the simplest and most basic measures to protect
systems against cyber attacks and data breaches.
UNSW School of Computer Science and Engineering Professor in cybercrime Richard
Buckland said the revelations in the report are “shocking” and that
multi-factor authentication is a basic cyber mitigation measure.
“If all these assertions are true, it’s very sobering,” Buckland told
Information Age.
“It’s the minimum thing people should be doing.
“The temptation is to find a worker and blame them – to say it’s human error.
“But really this was a company failure and a poor culture allowed these
individual human errors to lead to catastrophic results.”
According to the OAIC report, in August 2022 an employee of a Medibank
contractor saved his Medibank username and password to his personal internet
browser profile on a work computer.
When this worker then signed into his internet browser profile on his personal
computer, these credentials were synced across.
These credentials provided access to most, if not all, of Medibank’s systems.
Threat actors then stole these credentials from the worker’s personal computer
using a malware variant and used them to log into Medibank’s Microsoft Exchange
server as a test, according to OAIC.
Two weeks later, these credentials were used to log into Medibank’s Global
Protect VPN solution, which it used to control remote access to its corporate
network.
The malicious actor was able to do this using just the credentials as “access
to Medibank’s Global Protect VPN did not require two or more proofs of identity
of multi-factor authentication”.
“Rather, Medibank’s Global Protect VPN was configured so that only a device
certificate, or a username and password, was required,” the OAIC document said.
The hackers were then able to steal about 520GB of data, including the personal
information of 9.7 million Medibank customers.
‘Absolute minimum’ of cyber security
Multi-factor authentication is commonly regarded as a key cyber security
mitigation measure and is one of the Australian Signals Directorate’s Essential
Eight strategies.
Cyber security expert and Have I Been Pwned founder Troy Hunt said multi-factor
authentication “should be viewed as an absolute minimum requirement”.
“There’s a very long tail of organisations that haven’t yet adopted 2FA across
the board, so I’m not surprised to hear this finding about Medibank,” Hunt told
Information Age.
“Whilst there appears to have been other security failures that contributed to
this attack, the whole point of a second factor is to ensure incidents like
this can’t occur when a single factor is compromised.”
OAIC said there were “deficiencies in the form and implementation of Medibank’s
cyber security and information security framework”, including with its “failure
to implement or properly configure information security controls of a basic or
baseline nature or standard for an organisation of Medibank’s size”.
“Medibank’s failure to take reasonable steps commensurate with protecting the
personal and sensitive information it held, exposed that information to the
risk of misuse, unauthorised access and / or disclosure,” OAIC told the court.
Forewarnings
OAIC also revealed that Medibank was repeatedly warned of the risks associated
with its lack of multi-factor authentication in a number of reports prior to
the devastating cyber incident.
A report by Datacom into Medibank’s cyber security in mid-2020 identified the
lack of multi-factor authentication as a “critical defect”, finding it was not
activated for privileged and non-privileged users.
A report by KPMG in August 2021 also found that it was not in place for
privileged users when accessing particular systems.
Buckland said that the Medibank incident should be a wake-up call to Australian
businesses to prioritise cyber security.
“I hope this isn’t indicative of the level of focus businesses across Australia
are putting on IT,” he said.
“[But] my sneaking suspicion is this is just the tip of the iceberg and we’re
really seeing that companies have not yet fully switched to thinking about
cyber risk as the risk it is.
“There’s just too much complacency.”
DENHAM SADLER
Denham Sadler is a freelance journalist based in Melbourne. He was previously
Editor of StartupSmart, and writes on tech and politics. His work has been
published in The Saturday Paper and The Guardian.
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
--
Roger Clarke mailto:[email protected]
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professorial Fellow UNSW Law & Justice
Visiting Professor in Computer Science Australian National University
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
