In Australia, 2022 witnessed substantial cyber security breaches.
Both telecommunications giant Optus and private health insurance provider Medibank encountered extensive data breaches affecting millions of Australians, leading to increased attention from regulators and businesses on cyber security in the subsequent years.
Legal actions were taken following the two breaches, with recent court documents outlining purported technical causes behind the incidents. For Optus, an exposed, inactive API with a coding oversight allowed unauthorized access, while compromised access details on an administrative account exposed Medibank’s customer data.
Reasons behind the Optus breach
The Australian Communications and Media Authority revealed that a coding flaw in the entry controls of an unused API accessible from the internet facilitated a cybercriminal’s breach of Optus’ cyber security measures, resulting in the exposure of the personal information of 9.5 million existing and former customers in 2022.
The Role of a Coding Error in the Security Breach
According to a statement provided in court orders published in June 2024 by ACMA, the flawed access controls of an inactive API, originally meant to offer customers information through a subdomain on the Optus website, became ineffective due to a coding error in 2018.
ACMA alleged that despite discovering and rectifying the coding error in relation to Optus’ primary website domain in August 2021, the company failed to identify and address the same error affecting the subdomain. Consequently, when the API was made accessible from the internet in 2020, Optus became susceptible to a cyber intrusion.
NOTE: CISOs in Australia are advised to scrutinize data breach risks closely
ACMA claimed that Optus missed multiple opportunities to detect the error over four years, including when it was deployed into a production environment after testing in 2018, when it became available from the internet in 2020, and when the coding flaw was discovered on the primary domain.
“Despite the absence of any necessity, the target domain remained inactive and vulnerable to intrusion for a span of two years and was not decommissioned,” stated ACMA in the court records.
Exploitation of the Coding Error by a Cybercriminal in 2022
The coding oversight enabled a cyber intruder to circumvent the API access controls and submit requests to the target APIs over a three-day period in September 2022, as suggested by ACMA, resulting in the successful retrieval of customers’ personally identifiable information.
ACMA additionally mentioned that the cyber attack “was not intricate or necessitated advanced expertise or proprietary knowledge about Optus’ internal systems or procedures” but was executed via a straightforward trial and error process.
Optus Implies the Hacker Eluded Detection Actively
After ACMA initiated legal proceedings in the federal court, Optus acknowledged the presence of a previously unidentified vulnerability due to an old coding error. In a statement to iTnews, Optus expressed its commitment to collaborate with ACMA, maintaining its readiness to contest the allegations to rectify the narrative if required.
Optus’ Acting CEO, Michael Venter, informed the publication that the breach was exploited by a “determined and motivated criminal” who outwitted various authentication and detection controls, including by mimicking regular customer activity through cycling numerous IP addresses.
The cyber attacker accessed the PII of over 9.5 million Australians during the 2022 breach. This included sensitive information such as customers’ full names, birthdates, contact numbers, addresses, driver’s license particulars, and passport and Medicare card numbers, some of which were subsequently publicized on the dark web.
Allegations of Severe Cyber Security Lapses at Medibank by Australia’s Privacy Regulator
The Australian Information Commissioner accused Medibank of neglecting security measures like Multi-Factor Authentication (MFA) for VPN access and failing to respond to several alerts from its endpoint detection and response system, which led to the data breach.
Accusations of Critical Security Lapses at Medibank in Cyber Security
As per court records from a lawsuit filed against Medibank by Australia’s privacy watchdog, the AIC alleged that the breach occurred when a Medibank contractor’s username and password were used by hackers to infiltrate Medibank. Subsequently, these credentials were synced to the contractor’s personal machine and extracted via malicious software.
The AIC claimed that a contractor at the IT service desk saved Medibank access details to his web browser profile on his work system. Upon signing into his web browser profile on his personal device, the credentials synced and were seized via malware.
NOTE: Will Australia ever overcome the shortage of cyber security professionals?
The compromised credentials included a standard access account and an admin account, granting access to “most, if not all, of Medibank’s systems,” including network drives, administrative consoles, and remote desktop access to jump box servers for entries into specific Medibank directories and databases.
After successfully logging into Medibank’s Microsoft Exchange Server to authenticate the admin account credentials, the threat actor could access Medibank’s Global Protect VPN. Due to the absence of MFA, authentication only required a device certificate or a username and password.
Between August 25 and October 13, 2022, the threat actor penetrated “several IT systems,” obtaining insights into Medibank’s database structures. The criminal subsequently extracted 520 gigabytes of data from Medibank’s MARS Database and MPLFiler systems.
The AIC contended that Medibank’s endpoint detection and response system triggered multiple alerts during the intruder’s activities at various stages of the breach, but these alerts were not promptly assessed and escalated by the cyber security team until October 11.
Medibank Enhancing Cyber Security, Ready to Battle AIC’s Claims
The data extracted during the breach was subsequently made public on the dark web, encompassing details like names, birthdates, genders, Medicare numbers, addresses, email addresses, phone numbers, visa data for expatriate and visiting clients.
NOTE: A Senior CISO advocates for Australian businesses to evade unforeseen attacks
The compromised PII also encompassed health claims information revealing patient names, provider details, diagnostics codes, procedure codes, and treatment dates, as highlighted by the AIC.
An external audit of the breach was conducted by Deloitte, and in an update, Medibank asserted cooperation with investigations by the OAIC post the incident. The health insurer expressed intentions to challenge the allegations brought forward by the AIC.
About Author
