Pity the IT guy.
Logging in via his work computer, he did what a lot of people do.
He saved his username and password to his personal internet browser.
Those credentials then “synced” across to his personal computer.
But as the employee of a contractor to private health insurance giant Medibank, he unwittingly opened the back door to an alleged Russian cybercriminal and one of the worst reported privacy breaches in Australian history.
More than one in three Australians suddenly found themselves at risk of having their most sensitive data leaked for public consumption.
This nightmarish scenario came true for hundreds of people in November and December 2022, with pregnancy terminations among the procedures published in detail on the so-called dark web.
Loading…
Medibank chief executive David Koczkar branded the move “disgraceful” as the insurer, in line with conventional wisdom, refused to pay a ransom.
In the year following the hack, Medibank boosted its revenue and gross profit to $7.1 billion and $727.1 million respectively.
It’s not the hapless IT contractor but the big corporate machine that the Australian Information Commissioner is now seeking to hold to account.
It’s filed a Federal Court action, claiming the private health insurer had breached the privacy act for each of the 9.7 million individuals. Each contravention can attract a maximum fine of $2.22 million.
In court documents, the commissioner has laid out a timeline of alleged cybersecurity blunders by Medibank amounting to “serious interferences with the privacy of… approximately 9.7 million individuals”.
It says on around August 7, 2022, the IT contractor’s personal computer was hacked by a “threat actor” who stole his Medibank username and password.
That threat actor, according to the Australian and US governments, was a Moscow-born extortion artist of the first order, who went by online handles including “blade_runner” and “JimJones”.
The Australian government would later implicate Aleksandr Ermakov, who the US government said was linked to REvil, one of the “most notorious cybercrime gangs in the world”.
REvil had allegedly pumped out ransomware on about 175,000 computers worldwide to haul in at least US$200 million ($299 million) in ransoms.
The then 32-year-old apparently hoped to squeeze out another $15 million from Medibank.
The AIC claim says the “threat actor” spent weeks obtaining his bargaining chip.
This was the mountain of Medibank client data from names to birthdays, home and email addresses, phone and passport and Medicare numbers, financial information as well as details of employment, race and ethnicity, illnesses, disabilities, injuries, and health treatments.
In Australia, this is the “most sensitive data short of classified data”, Cybersecurity expert Iman Tahami told the ABC.
Alerts ‘not appropriately escalated’
The hackers waited five days to test the IT contractor’s admin account credentials by logging onto Medibank’s Microsoft Exchange server.
About 11 days after that, they got into Medibank’s “Virtual Private Network” (VPN) which controlled remote access to its corporate network.
They were only able to do so because Medibank, the $10 billion juggernaut and keeper of secrets for more than 9 million people, didn’t require what’s called “multi-factor authentication” for its VPN, according to the commissioner’s filings.
This requirement for two or more ways of proving a user’s identity was even then a bog-standard safeguard for large organisations.
Instead, the hackers only needed someone’s username and password.
Still, about that time, the hackers’ moves tripped a wire with the insurer’s security software, which sent alerts to an IT security email.
But it seemed nobody was home.
“These alerts were not appropriately triaged or escalated by either Medibank or its service provider…. at that time,” the information commissioner’s claim says.
This allegedly left the coast clear for the hackers to get into various Medibank IT systems, including one containing information on how a key database elsewhere was structured.
This was the “MARS” database, which contained “personal information of Medibank’s customers, including sensitive and health information”.
Between August 25 and October 13, Ermakov and the REvil crew allegedly hoovered up 520 gigabytes worth of that information.
The hackers kept tripping security wires and triggering alerts but these again were “not appropriately triaged or escalated by either Medibank or [its service provider]”, the commissioner alleges.
On October 11 — almost two months after the hacker first logged into the system — Medibank’s Security Operations team responded to a “high severity incident” and an alert of files being modified to exploit a vulnerability.
They called in a digital forensics service called Threat Intelligence to investigate.
According to the commissioner’s claim, until October 16, 2022, when a Threat Intelligence analyst noted the outflow of “suspicious volumes of data” had been taken from the network, “Medibank was not aware that customer data had been accessed by a threat actor and exfiltrated from its systems”.
Ermakov and REvil had allegedly been secretly sucking out sensitive data for almost two months.
The hackers broke cover and made contact on October 19 and 22, 2022, giving Medibank a taste of the files it had.
With no ransom paid, the data began leaking out on the dark web over three weeks.
Medibank warned about ‘serious deficiencies’ in IT security
Given Medibank’s “size, resources, the nature and volume of the personal information it held … and the risk of harm for an individual in the case of a breach”, it failed to take proper steps to protect its clients’ privacy, according to the commissioner’s claim.
The fallout of its failure included exposing more than nine million people to “harm including potential emotional distress and the material risk of identity theft, extortion and financial crime”, it says.
Medibank’s core IT team included 13 full-time IT security professionals, working with a $1 million a year cyber security budget, out of a $4-5 million total budget for IT.
What’s more, Medibank was “aware of serious deficiencies in its cybersecurity and information security framework”, the commissioner alleges.
Between 2018 and August 2022 — the month of the hack — consultants including KPMG and PricewaterhouseCoopers repeatedly warned Medibank to lift its game around information security.
The commissioner has listed internal audits that highlighted some of Medibank’s Achilles heels which allegedly exposed it to the Russian cybercriminals.
These included three tests by Threat Intelligence which identified Medibank’s “insecure or weak password requirements” in March and September 2018 and November 2020.
A KPMG report in about August 2021 warned that multi-factor authentication had “not been implemented for privileged users when accessing particular systems, backend portals, or supporting servers”.
An internal Medibank presentation months before the hack found that a set of controls to identify gaps in compliance with information security standards mandated by the Australian Prudential Regulation Authority had been “prepared in 2020, but never implemented”.
The Federal Court action is being watched intently by law firms circling with separate compensation claims.
Elizabeth O’Shea, an internet-savvy lawyer at Maurice Blackburn acting in a group complaint seeking compensation orders from the commissioner, knew she was stating the obvious: “We welcome this development.”
“We’re obviously really interested in making sure that [our] representative complaint progresses,” she said.
“But we say this is an important step along the way, which suggests that many of the people that we’ve spoken to have experienced harm as a result of this data breach, that the commissioner will agree with us that they should be entitled to compensation.”
Lawyers at Baker McKenzie, which is leading a class action for affected Medibank customers, declined to comment.
Medibank has also declined to comment but in a statement to the ASX, said it intended to “defend the proceedings”.
Posted , updated