The Office of the Australian Information Commission (OAIC) claims a lack of multi-factor authentication processes caused the 2022 data breaches at Medibank Private Limited (MPL.AX). That reportedly led to the hacking of the private information of roughly 9.7 million customers.
New Court Filings Claim Lack Of Multi-factor Authentication Led To Medibank Hacks
Based on the documents filed with the Australian Federal Court on Monday, 17 June 2024, the OAIC alleges the breach occurred via the employee of one of the company’s contractors. This IT service desk operator reportedly saved login details to an external browser and the hackers gained access via this portal when the device was stolen in August 2022.
Personal details accessed included names, addresses, Medicare numbers, and health and financial information. ABC News reported the court documents indicated:
Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA). Rather, Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required.
Don’t miss out the latest news, subscribe to LeapRate’s newsletter
Accused of contravening Australia’s Privacy Act, the health insurance and services provider was informed of its cyber weaknesses in 2018 and 2020. Based on the court filings, these included “deficiencies regarding insecure or weak password requirements”.
This company can face potential fines of 2.22m AUD for each case, which amounts to 9.7 million contraventions and a total of 21tn AUD in damages.
Medibank offered no comments to date. By the final bell on Monday, 17 June 2024, it was up 2.17%, with shares going for 3.77 AUD apiece.
