Credentials theft behind high-profile Medibank hack – Security
Australia’s largest health insurer Medibank was breached thanks to credentials thefts by hackers who used the login details to access its network.
In an ASX filing for its 2023 half year results, the insurer said [pdf] that its systems were accessed through a stolen Medibank username and password.
That login was used by an unnamed third-party IT services provider for Medibank.
With the stolen credentials in hand, the hacker got through to Medibank’s network through a misconfigured firewall appliance, which “did not require an additional digital security certificate,” the insurer said.
Inside the network, the hacker was able to move laterally and capture further user credentials to freely access more of Medibanks systems.
The insurer discovered the hack within 24 hours of it taking place, but was powerless to stop the copied-over data from being leaked on the internet.
Ransomware raiders REvil, linked to Russia, are thought to be behind the hack which saw 9.7 million current and former Medibank customers’ sensitive information being breached after the insurer refused to pay the extortionists.
Australia’s prime minister Anthony Albanese is a Medibank customer, although it is unclear whether his data was included in the breach.
In its half year 2023 results, Medibank attributed a cost of $26.2 million to the cyber crime attack.
Medibank said that it has now made sure that firewall authenticaiton is configured properly across its entire network.
Existing monitoring, detection and forensics capability have been bolstered, along with Operation Safeguard testing of customer-facing platforms done with security experts from Microsoft.
Medibank contact centres have also introduced two-factor authentication (2FA) to improve security for customers calling for support.
The insurer is being investigated by the Office of the Australian Information Commissioner, and Medibank has commissioned professional services company Deloitte to conduct an external review that is ongoing currently.
