The hacker obtained credentials from an external IT provider.

Australian health insurer Medibank made a “novice mistake” that led to one of the largest data breaches in our country’s history, a cybersecurity expert claimed following new details about the breach.

In its semi-annual report, Medibank shared a brief outline of how the Russian attackers got access to everyone’s personal information 9.7 million of its customers.

The health insurer said its systems were accessed “using a stolen Medibank username and password used by a third-party IT service provider.”

The criminal used the stolen credentials to access Medibank’s network through a misconfigured firewall that did not require an additional digital security certificate.

“The criminal managed to obtain additional usernames and passwords to access a number of Medibank systems and their access was not restricted.

Once inside, the attackers obtained a wealth of customer information that they used to extort Medibank. demand ransom which the company refused to pay.

The saga ended with the hackers dumping it completely 5GB data set online.

Louay Ghashash, chair of the Australian Computer Society’s (ACS) Cyber ​​Security Committee, said it was a “novice mistake” by Medibank to allow a third party uncontrolled access to its systems.

“The fact that they allowed this service provider to run freely without checking security practices and conducting user access reviews is a failure on Medibank’s part,” Ghashash told Information age.

“Service providers should have security standards that are better or equal to the customer’s standard, but it’s up to the customers to make sure.”

Ghashash said it’s not uncommon for companies to share administrator accounts with third-party providers who may need high-level access to their environment.

But this makes it nearly impossible to enforce multi-factor authentication (MFA), creating a serious weakness in that company’s security.

“Service providers are often necessary, but they can pose an increased risk to a business, so you need to make sure you trust them,” he said.

“In some cases you need to audit the company, send someone to validate their claims that they regularly patch their infrastructure and see evidence that they are following at least the Essential Eight.

For Medibank, the cost of not covering the risk of a third-party handing over high-level credentials to an attacker has already reached $26 million, though that figure is expected to reach $45 million by the end of the fiscal year. .

And that doesn’t include the potential “remediation, regulatory, or litigation-related costs” that could result from a class action lawsuit which has been launched against the insurer or fines from the Office of the Australian Information Commission (OAIC) ​​investigating the breach.

Aaron Bugal, regional CTO at cybersecurity firm Sophos, said “negligence has proven to be an accomplice element” in cyberattacks

“Multi-factor authentication could have negated the impact of stolen credentials, and while not impervious to a determined cybercriminal, it would have limited the ease with which they gained initial access,” he said.

On Wednesday, the OAIC published its latest notifiable data breaches report covering the period July to December 2023.

During that period, the Commissioner was made aware of 497 breaches, most of which affected less than 100 people.

Of those breaches, 70% were attributed to criminal or malicious attacks, with 25% caused by human error – such as emailing personal information to the wrong recipient – ​​and the remaining 5% due to system errors.