2022 was a big year for cybersecurity breaches in Australia.
Both telecommunications provider Optus and private health insurer Medibank suffered large-scale data breaches affecting tens of millions of Australians, leading to increased regulatory and business focus on cybersecurity in the years since.
The two data breaches also led to legal action, with the latest court filings detailing alleged technical contributors to the incidents. In the Optus case, a coding error in an exposed and dormant API provided access, while compromised credentials on an administrator account opened the door to Medibank customer data.
What caused the Optus data breach?
The Australian Communications and Media Authority said a coding error in the access controls of a dormant internet-connected API allowed a cybercriminal to breach Optus' cyber defences and expose the personally identifiable information of 9.5 million current and former customers in 2022.
How a coding error caused a security breach
In a statement of claim attached to court orders published in June 2024, the ACMA detailed how access controls for an unused API, originally designed to allow customers to access information on the Optus website via a subdomain, were rendered ineffective by a coding error in 2018.
The ACMA says that while Optus discovered and fixed the coding error in August 2021 in relation to its main website domain, the telco failed to detect and fix the same error affecting the subdomain. This meant that when the API became accessible to the internet in 2020, Optus was left vulnerable to a cyber attack.
WATCH: Australian CISOs urged to take a closer look at data breach risks
The ACMA says Optus missed several opportunities to identify the bug over four years, including when it was released to a production environment following review and testing in 2018, when it went live on the internet in 2020 and when the coding error was detected on the main domain.
“The target domain was allowed to remain dormant and vulnerable to attack for two years and was not taken down even though it was not necessary,” ACMA said in court documents.
A cybercriminal exploited a coding error in 2022
The coding error allowed a cyber attacker to bypass API access controls and send requests to target APIs over three days in September 2022, according to ACMA, successfully returning customers' personally identifiable information.
The ACMA further states that the cyber attack “was not highly sophisticated nor did it require advanced skills or internal or proprietary knowledge of Optus processes or systems” but was “carried out through a simple process of trial and error”.
Optus suggests the hacker actively avoided detection
Following the filing of the lawsuit in federal court by the ACMA, Optus confirmed a previously unknown vulnerability following a historic coding error. In a statement to iTnews, Optus said it will continue to cooperate with the ACMA, but will defend the action where necessary to correct the record.
Michael Venter, Optus’ interim chief executive, told the publication that the vulnerability was exploited by a “motivated and determined attacker” who evaded and bypassed several authentication and detection controls, even mimicking normal customer activity by rotating through tens of thousands of IP addresses.
In the 2022 breach, the attacker accessed the personally identifiable information of more than 9.5 million Australians, including customers' full names, dates of birth, phone numbers, residential addresses, driver's license details, and passport and Medicare card numbers, some of which was subsequently published on the dark web.
Australia's privacy regulator accuses Medibank of serious cybersecurity failures
Medibank's failure to implement security controls such as MFA for virtual private network access, as well as failing to act on multiple alerts from its endpoint detection and response security system, paved the way for the data breach, the Australian Information Commissioner has said.
The AIC denounces serious failures in Medibank's cybersecurity
In court documents filed for a case brought against Medibank by Australia’s privacy regulator, the AIC alleges that the username and password credentials of a Medibank contractor allowed criminals to hack into the system. The credentials were later synced to his personal computer and extracted using malware.
The AIC claims that a contractor operating a help desk saved Medibank credentials in his personal internet browser profile on his work computer. When he later logged into his internet browser profile on his personal computer, the credentials were synchronized and then stolen using malware.
WATCH: Can Australia ever overcome its cybersecurity skills shortage?
The credentials included a standard access account and an administrator account. The administrator account granted access to “most, if not all, Medibank systems,” including network controllers, management consoles, and remote access to Jumpbox servers, used to access certain Medibank directories and databases.
After logging into Medibank’s Microsoft Exchange server to test the administrator account credentials, the AIC claims the threat actor was able to authenticate and log into Medibank’s Global Protect VPN. As multi-factor authentication was not enabled, only a device certificate or username and password was required.
From August 25 to October 13, 2022, the threat actor accessed “numerous computer systems,” some of which provided information on how Medibank’s databases were structured. The criminal proceeded to exfiltrate 520 gigabytes of data from Medibank’s MARS Database and MPLFiler systems.
The AIC has alleged that Medibank’s endpoint detection and response security system generated several alerts in relation to the threat actor’s activity at different stages of infiltration, but these alerts were not classified or escalated by the cybersecurity team until 11 October.
Medibank improves cybersecurity and will defend AIC procedures
Data exfiltrated during the breach was subsequently published on the dark web, including names, dates of birth, gender, Medicare numbers, residential addresses, email addresses, phone numbers, visa details for international workers and visiting clients.
WATCH: Leading CISO wants Australian businesses to avoid 'surprise' attacks
The sensitive PII released also included customer health claims data, the AIC said, including patient names, provider names, provider location and contact details, diagnosis numbers and procedure numbers, and treatment dates.
Deloitte conducted an external review of the data breach and in an update, Medibank said it had been cooperating with the OAIC's investigations following the incident. The health insurer said it intends to defend itself against the proceedings initiated by the AIC.
