Medibank was aware of “serious deficiencies in its cybersecurity and information security framework” at least two years before a devastating data breach that saw a record loss of personal customer information to hackers, the Australian Information Commissioner (OAIC) has alleged in a document filed to the Federal Court.

As part of ongoing court proceedings initiated by the Information Commissioner in early June, Medibank was accused of multiple security failures – not only during but also several years before the data breach incident that resulted in the loss of millions of personal records.

This data, which included details of medical treatments and claims, was eventually posted to the dark web within a few weeks of the breach.

The OAIC alleges in its suit that between 12 March 2021 and 13 October 2022, Australia’s biggest health insurer “seriously, further or alternatively repeatedly, interfered with the privacy of approximately 9.7 million individuals (comprising current and former Medibank customers), whose personal information it held”, which it said breached its obligations under the Privacy Act.

Notably, it was alleged that Medibank not only failed to implement multifactor authentication (MFA) on its VPN, which controlled remote access to its corporate network, but that a third-party IT contractor (with “elevated” administrative access to Medibank’s systems) was able to save their password for this system on their personal browser profile.

These Medibank credentials were then purportedly stolen from the IT contractor via malware (named but redacted in the OAIC document) installed on their personal computer.

MFA, which is listed as a core Essential 8 recommendation, is widely considered a basic security measure for ICT systems, particularly those with sensitive data.

Two years before the breach, the OAIC alleges that the health insurer was made aware by an external auditor that an “excessive number of individuals” had been “given excessive privileges” to Medibank’s ‘Active Directory’ (the Microsoft directory service used for management of all Medibank users, group policies and domains). This, it said, was a “critical defect” in its security framework.

In 2021, an external audit of Medibank’s E8 strategies conducted by KPMG also showed that MFA had failed to be implemented for privileged users when accessing particular systems, backend portals, or supporting servers.

At the time of the initial breach, around 24 and 25 August 2022, the OAIC said Medibank’s IT security operations team failed to adequately respond to “various alerts” issued by its endpoint detection and response (EDR) system when it identified activity relating to the threat actor.

“These alerts were not appropriately triaged or escalated by either Medibank or its service provider [since redacted], at that time,” it wrote.

This resulted in the exfiltration of approximately 520 gigabytes of data, including highly sensitive personal, medical and claims details, from Medibank’s systems (including the MARS Database and MPLFiler systems) by the threat actor.

On 11 October, Medibank engaged threat intelligence, alongside its existing digital forensics and incident response partner, to perform an incident response investigation.

Five days later, and around three weeks after the initial breach, the threat intelligence analyst noted a “series of suspicious volumes of data” was exfiltrated from Medibank’s network.

However, until it was contacted by the threat actor (in its bid to extort the insurer), Medibank was not aware that personal customer data had been stolen in the breach, the OAIC said.

Under clause s 13G of the Privacy Act, entities are liable for a civil penalty “if it does an act, or engages in a practice, that is a serious or repeated interference with the privacy of an individual”.

The OAIC argued in its submission that the nature of the deficiencies in Medibank’s cybersecurity and information security framework, as well as its failure to implement or properly configure basic information security controls (particularly for an organisation of its size) and the volume and sensitivity of the personal information it lost, leaves it liable for a breach of the Act.