2022 was a big year for cyber security breaches in Australia.
Both telecommunications provider Optus and private health insurer Medibank suffered large-scale data breaches affecting tens of millions of Australians, leading to heightened regulatory and business focus on cyber security in the years since.
The two data breaches also led to legal action, with recent court filings detailing alleged technical contributors to the incidents. For Optus, a coding error in an exposed, dormant API provided access, while compromised credentials on an admin account opened the door to Medibank’s customer data.
What caused the Optus data breach?
The Australian Communications and Media Authority said a coding error in the access controls for a dormant, internet-facing API enabled a cyber criminal to breach Optus’ cyber defenses and expose the personally identifiable information of 9.5 million former and current customers in 2022.
How a coding error led to security breach
In a statement of claim annexed to court orders published in June 2024, ACMA detailed how the access controls for an unused API, originally designed to allow customers access to information on the Optus website via a subdomain, were rendered ineffective by a coding error in 2018.
ACMA claims that, although Optus discovered and fixed the coding error in August 2021 in relation to its main website domain, the telco did not detect and fix the same error affecting the sub-domain. This meant that when the API was made internet-facing in 2020, Optus was left vulnerable to a cyber attack.
SEE: CISOs in Australia urged to take a closer look at data breach risks
ACMA claims Optus missed several chances to identify the error over four years, including when it was released into a production environment following review and testing in 2018, when it became internet-facing in 2020, and when the coding error was detected on the main domain.
“The target domain was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it,” ACMA states in the court documents.
A cyber criminal exploited the coding error in 2022
The coding error allowed a cyber attacker to bypass the API access controls and send requests to the target APIs over three days in September 2022, ACMA alleges, which successfully returned customers’ PII.
ACMA further states that the cyber attack “was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge of Optus’ processes or systems,” but was “carried out through a simple process of trial and error.”
Optus suggests hacker actively avoided detection
Following ACMA’s filing of proceedings in federal court, Optus confirmed a previously unknown vulnerability from a historical coding error. In a statement to iTnews, Optus said it will continue to cooperate with ACMA, though it will defend the action where necessary to correct the record.
Optus Interim CEO Michael Venter told the publication that the vulnerability was exploited by a “motivated and determined criminal” who evaded and bypassed various authentication and detection controls, including by mimicking usual customer activity by rotating through tens of thousands of IP addresses.
The PII of more than 9.5 million Australians was accessed by the cyber attacker in the 2022 breach. This included customers’ full names, dates of birth, phone numbers, residential addresses, drivers licence details and passport and Medicare card numbers, some of which were later published on the dark web.
Australia’s privacy regulator alleges serious Medibank cyber security failures
Medibank’s failure to implement security controls like MFA for virtual private network access — as well as not acting on multiple alerts from its endpoint detection and response security system — paved the way for its data breach, the Australian Information Commissioner claimed.
The AIC alleges serious failures in Medibank cyber security
In court filings for a case brought against Medibank by Australia’s privacy regulator, the AIC alleges that a Medibank contractor’s username and password credentials allowed criminals to hack into Medibank. The credentials were later synced to his personal computer and extracted via malware.
The AIC claims an IT service desk operator contractor saved Medibank credentials to his personal internet browser profile on his work computer. When he later signed into his internet browser profile on his personal computer, the credentials were synced and then stolen via malware.
SEE: Will Australia ever dig itself out of the cyber security skills shortage?
The credentials included a standard access account and an admin account. The admin account gave access to “most, if not all, of Medibank’s systems,” including network drivers, management consoles and remote desktop access to jump box servers, used to access certain Medibank directories and databases.
After logging into Medibank’s Microsoft Exchange Server to test the admin account credentials, the AIC claims that the threat actor was able to authenticate and log onto Medibank’s Global Protect VPN. Since MFA was not enabled, only a device certificate or a username and password were required.
From Aug. 25 to Oct. 13, 2022, the threat actor accessed “numerous IT systems,” some of which yielded information about how Medibank’s databases were structured. The criminal went on to extract 520 gigabytes of data from Medibank’s MARS Database and MPLFiler systems.
The AIC has alleged that Medibank’s endpoint detection and response security system generated various alerts in relation to the threat actor’s activity at different stages of the infiltration, but these alerts were not triaged and escalated by the cyber security team until Oct. 11.
Medibank improving cyber security, will defend AIC proceedings
Data exfiltrated during the breach was later published on the dark web, including names, dates of birth, gender, Medicare numbers, residential addresses, email addresses, phone numbers, visa details for international workers and visitor customers.
SEE: Leading CISO wants Australian businesses to avoid attack ‘surprises’
Sensitive PII data published also included customer health claims data, the AIC said, including patient names, provider names, provider location and contact details, diagnosis numbers and procedure numbers and dates of treatment.
Deloitte conducted an external review of the breach, and in an update, Medibank said it had been cooperating with the OAIC’s investigations following the incident. The health insurer said it intends to defend the proceedings brought by the AIC.
