How did the Medibank data breach happen and how to avoid it?

In October 2022, Medibank, one of Australia’s largest private health insurers, suffered a data breach that exposed the sensitive personal and medical information of 9.7 million customers. This incident showed the severe consequences of failing to implement basic cybersecurity measures. Understanding how the breach occurred, and the security gaps exploited is essential to prevent similar attacks in the future.

That is why this blog post will cover these main questions:

• What vulnerabilities that enabled the Medibank breach?
• What countermeasures could have prevented the Medibank breach?

The Medibank data breach was not the result of sophisticated hacking methods. Instead, it occurred because of a series of preventable security mistakes. These oversights allowed cybercriminals to enter Medibank’s network, steal large amounts of sensitive information, and then demand a ransom.

The attack began when a third-party IT provider, contracted by Medibank, stored Medibank’s administrator-level login details on a personal device. This device was infected with malware, which allowed attackers to obtain user credentials. Because Medibank’s remote access system did not require multi-factor authentication at the time, the attackers could log into the company’s network using these stolen credentials, appearing to be authorized users.

Once inside Medibank’s system, the criminals installed a script to search for and extract sensitive customer information. They compressed this data and transferred it out of the network through a build in backdoor. Although the company’s security tools flagged suspicious activities, these alerts were not followed up on with the urgency they required. By the time Medibank’s security team finally acted and shut down the attackers’ access 200 GB of personal data had already been stolen.

The stolen information included:

• Names
• Dates of birth
• Passport details
• Medicare numbers

With posession of this data, the attackers demanded a ransom of $10 million USD to stop them from releasing to the public. Medibank refused to pay, believing that doing so would encourage further attacks and therefore the criminals began leaking portions of the data on the dark web in response, placing additional pressure on the company.

The Medibank breach showed several critical weaknesses in the organization’s cybersecurity defenses. By failing to implement these essential security controls, Medibank created opportunities for attackers to exploit privileged access, navigate internal systems, and exfiltrate sensitive data. Here are the key vulnerabilities that contributed to the incident:

Medibank’s failure to safeguard privileged credentials allowed the attackers to bypass initial security measures as there was no 2FA/MFA in place to then use the login inside the system.

The employee account bought by the hackers on the dark web had more access than necessary to perform daily tasks, increasing the risk of high-privilege account compromise. This allowed the attackers to access critical data directly.

The lack of network segmentation made it easier for attackers to locate and exfiltrate sensitive data. Without isolated zones or robust access controls, the attackers could access the database without encountering significant barriers.

Despite eventually detecting the breach, Medibank’s delayed response enabled the attackers to already download a significant amount of data before shutting down the cyber attack.

Here are four strategies that could have mitigated or even prevented the Medibank data breach:

Teaching employees how to recognize phishing attempts and credential theft can reduce the risk of initial compromise since phishing remains one of the most common methods for credential theft.

POLP limits access to sensitive systems and data to only those who need it. By enforcing POLP, Medibank could have slowed down the attackers or prevented them from accessing critical databases altogether.

MFA adds an extra layer of security by requiring additional verification steps beyond just a password. According to Microsoft, MFA can prevent up to 98% of account compromise attempts. Adaptive MFA, which adjusts requirements based on risk factors, provides even stronger protection.

Network segmentation isolates sensitive data into secure zones, making it more challenging for attackers to locate and access. For extra security, jump servers can control connection requests to these zones, reducing the risk of unauthorized access.

The Medibank data breach highlights the critical need for robust cybersecurity measures in today’s digital landscape. By implementing basic security practices like credential protection, MFA, POLP, and network segmentation, organizations can significantly reduce their risk of suffering a similar attack.

This incident serves as a stark reminder that protecting sensitive customer data is not just a legal obligation but a fundamental aspect of maintaining trust in the digital age.