Learning from others’ mistakes

Up close photograph of a bronzed suit of armour. In the centre is a burgundy coloured logo labelled 'Spotlight on Infosec'
For financial professionals only

Medibank, Australia’s biggest health insurer, is the latest company to have suffered a significant data breach.

In a scathing report, the Australian Information Commissioner found Medibank acted recklessly by failing to implement basic security measures, allowing attackers to steal personal data of 9.7 million people, including:

  • names
  • dates of birth
  • home addresses
  • phone numbers
  • email addresses
  • passport numbers
  • financial information

The report claimed Medibank failed to take reasonable steps to protect personal information from misuse, unauthorised access and disclosure, and that it had breached privacy principles.

What happened?

An employee of a contractor to Medibank saved his Medibank username and password for several Medibank accounts to his personal internet browser profile on his Medibank computer, and those details then synced across to his personal computer. When threat actors infected his personal computer with information stealing malware, they were able to:

  • steal all the saved passwords in his browser, giving access to Medibank’s system and login to the VPN
  • steal 520GB of data over several months

Medibank's endpoint detection software did raise alerts about the suspicious behaviour, but these were ignored.  It was only through investigating a different incident that Medibank finally discovered the breach, nearly three months after the first alerts were raised.

What can you learn from this?

1. Personal habits can have serious impacts on businesses

If you’re using browser password managers, use separate accounts for personal and work credentials. A better option would be to block the ability to save passwords to browsers and instead use a standalone password manager.

2. Password only authentication has got to go

Use MFA when accessing any platforms or systems that hold sensitive or critical information, especially for remote access to services such as VPNs, cloud services, email, and admin accounts.

To set up MFA for your Parmenion account, simply download the Parmenion app.

3. Triage and escalate alerts as they happen to limit the chance of a breach

Make sure you’ve got robust processes and responsibilities in place for different types of cyber attacks to limit the damage a breach could cause. Take time to work the processes through, testing their efficiency, so you’re confident you can deal with an alert if you receive one.

What has the Information Commissioner's Office (ICO) done?

Following the breach, the ICO began investigating Medibank’s controls, reviewing the cybersecurity and information security standards and frameworks at the time of the breach, and considering how reasonable it would have been for Medibank to have implemented controls.  

The ICO report [1] found that Medibank “failed adequately to manage cybersecurity and/or information security risk congruent with the nature and volume of personal information it held (…), its size, and the risk profile of organisations operating within its sector.”

Their examination of Medibank’s cybersecurity framework revealed an awareness of ‘serious deficiencies’ over the years, with these 5 key issues highlighted through testing, and not prioritised:

  • Poor password controls – ‘insecure or weak password requirements for accessing its systems’
  • Providing more access than needed - 'a number of individuals had been given excessive privileges to perform simple daily routines' 
  • Lack of MFA for privileged access - 'MFA hadn't been enabled for privileged and non-privileged users, describing it as a "critical" defect'. 
  • Partial scanning and monitoring across the estate - 'vulnerability scanning of workstations was only being done on a representative sample of workstations...security event monitoring should be uplifted to include unsuccessful MFA attempts...application control software was not in place for all servers and workstations'.
  • Not managing third parties - 'deficiencies in relation to [amongst other things] the testing of third-party information security controls'.

How strong are your defences?

If you have a breach, the ICO will review your cybersecurity framework, evaluating awareness of vulnerabilities and action plans. 

They will want to build a picture of how cyber security practices are embedded (or not) in your business and culture and expect to see:

  • up to date, regularly reviewed information security policies, strategy documentation, training logs, risks registers, external testing reports, and audits
  • clear reports of how you've closed identified vulnerabilities in a timely manner

Testing and benchmarking your defences is only effective if you close the vulnerabilities identified.

 
Implement a robust process to log and track vulnerabilities. If you’ve got outstanding vulnerabilities that are several years old, you can expect the ICO to consider these failings when it decides on their enforcement action / financial penalties.

[1] https://www.oaic.gov.au/__data/assets/pdf_file/0025/221974/AIC-v-Medibank-Private-Limited-concise-statement.pdf

This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.

Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.