2022 was a large twelvemonth for cyber information breaches successful Australia.
Both telecommunications supplier Optus and backstage wellness insurer Medibank suffered large-scale information breaches affecting tens of millions of Australians, starring to heightened regulatory and concern absorption connected cyber information successful the years since.
The 2 information breaches besides led to ineligible action, with caller tribunal filings detailing alleged method contributors to the incidents. For Optus, a coding mistake successful an exposed, dormant API provided access, portion compromised credentials connected an admin relationship opened the doorway to Medibank’s lawsuit data.
What caused the Optus information breach?
The Australian Communications and Media Authority said a coding mistake successful the entree controls for a dormant, internet-facing API enabled a cyber transgression to breach Optus’ cyber defenses and exposure the personally identifiable accusation of 9.5 cardinal erstwhile and existent customers successful 2022.
How a coding mistake led to information breach
In a statement of assertion annexed to tribunal orders published successful June 2024, ACMA elaborate however the entree controls for an unused API, primitively designed to let customers entree to accusation connected the Optus website via a subdomain, were rendered ineffective by a coding mistake successful 2018.
ACMA claims that, though Optus discovered and fixed the coding mistake successful August 2021 successful narration to its main website domain, the telco did not observe and hole the aforesaid mistake affecting the sub-domain. This meant that erstwhile the API was made internet-facing successful 2020, Optus was near susceptible to a cyber attack.
SEE: CISOs successful Australia urged to instrumentality a person look astatine information breach risks
ACMA claims Optus missed respective chances to place the mistake implicit 4 years, including erstwhile it was released into a accumulation situation pursuing reappraisal and investigating successful 2018, erstwhile it became internet-facing successful 2020, and erstwhile the coding mistake was detected connected the main domain.
“The people domain was permitted to beryllium dormant and susceptible to onslaught for 2 years and was not decommissioned contempt the deficiency of immoderate request for it,” ACMA states successful the tribunal documents.
A cyber transgression exploited the coding mistake successful 2022
The coding mistake allowed a cyber attacker to bypass the API entree controls and nonstop requests to the people APIs implicit 3 days successful September 2022, ACMA alleges, which successfully returned customers’ PII.
ACMA further states that the cyber onslaught “was not highly blase oregon 1 that required precocious skills oregon proprietary oregon interior cognition of Optus’ processes oregon systems,” but was “carried retired done a elemental process of proceedings and error.”
Optus suggests hacker actively avoided detection
Following ACMA’s filing of proceedings successful national court, Optus confirmed a antecedently chartless vulnerability from a humanities coding error. In a statement to iTnews, Optus said it volition proceed to cooperate with ACMA, though it volition support the enactment wherever indispensable to close the record.
Optus Interim CEO Michael Venter told the work that the vulnerability was exploited by a “motivated and determined criminal” who evaded and bypassed assorted authentication and detection controls, including by mimicking accustomed lawsuit enactment by rotating done tens of thousands of IP addresses.
The PII of much than 9.5 cardinal Australians was accessed by the cyber attacker successful the 2022 breach. This included customers’ afloat names, dates of birth, telephone numbers, residential addresses, drivers licence details and passport and Medicare paper numbers, immoderate of which were aboriginal published connected the acheronian web.
Australia’s privateness regulator alleges superior Medibank cyber information failures
Medibank’s nonaccomplishment to instrumentality information controls similar MFA for virtual backstage web entree — arsenic good arsenic not acting connected aggregate alerts from its endpoint detection and effect information strategy — paved the mode for its information breach, the Australian Information Commissioner claimed.
The AIC alleges superior failures successful Medibank cyber security
In court filings for a lawsuit brought against Medibank by Australia’s privateness regulator, the AIC alleges that a Medibank contractor’s username and password credentials allowed criminals to hack into Medibank. The credentials were aboriginal synced to his idiosyncratic machine and extracted via malware.
The AIC claims an IT work table relation contractor saved Medibank credentials to his idiosyncratic net browser illustration connected his enactment computer. When helium aboriginal signed into his net browser illustration connected his idiosyncratic computer, the credentials were synced and past stolen via malware.
SEE: Will Australia ever excavation itself retired of the cyber information skills shortage?
The credentials included a modular entree relationship and an admin account. The admin relationship gave entree to “most, if not all, of Medibank’s systems,” including web drivers, absorption consoles and distant desktop entree to leap container servers, utilized to entree definite Medibank directories and databases.
After logging into Medibank’s Microsoft Exchange Server to trial the admin relationship credentials, the AIC claims that the menace histrion was capable to authenticate and log onto Medibank’s Global Protect VPN. Since MFA was not enabled, lone a instrumentality certificate oregon a username and password were required.
From Aug. 25 to Oct. 13, 2022, the menace histrion accessed “numerous IT systems,” immoderate of which yielded accusation astir however Medibank’s databases were structured. The transgression went connected to extract 520 gigabytes of information from Medibank’s MARS Database and MPLFiler systems.
The AIC has alleged that Medibank’s endpoint detection and effect information strategy generated assorted alerts successful narration to the menace actor’s enactment astatine antithetic stages of the infiltration, but these alerts were not triaged and escalated by the cyber information squad until Oct. 11.
Medibank improving cyber security, volition support AIC proceedings
Data exfiltrated during the breach was aboriginal published connected the acheronian web, including names, dates of birth, gender, Medicare numbers, residential addresses, email addresses, telephone numbers, visa details for planetary workers and visitant customers.
SEE: Leading CISO wants Australian businesses to debar onslaught ‘surprises’
Sensitive PII information published besides included lawsuit wellness claims data, the AIC said, including diligent names, supplier names, supplier determination and interaction details, diagnosis numbers and process numbers and dates of treatment.
Deloitte conducted an outer reappraisal of the breach, and successful an update, Medibank said it had been cooperating with the OAIC’s investigations pursuing the incident. The wellness insurer said it intends to support the proceedings brought by the AIC.