In 2022, Australian organisations faced a significant surge in cyber security breaches, marking a year of heightened vulnerability and exposure.
Optus and Medibank, two major Australian companies, experienced massive data breaches that exposed tens of millions of citizens’ sensitive information, prompting a heightened focus on cybersecurity from regulators and businesses alike in the aftermath.
Two data breaches subsequently prompted legal action, with recent court filings shedding light on suspected technical accomplices involved in the incidents. A coding error in a previously unknown API allowed for unauthorized access, while weak administrator credentials enabled hackers to breach Medibank’s sensitive customer data.
A software bug in an external contractor’s system was reportedly the initial trigger for the massive data breach at Australian telecommunications company Optus.
A coding error within the entry controls for a previously unused, publicly accessible application programming interface (API) allowed a malicious actor to circumvent Optus’ cybersecurity measures, resulting in the unauthorized disclosure of sensitive information regarding approximately 9.5 million past and current customers in 2022, as stated by the Australian Communications and Media Authority.
A glitch in the system’s programming allowed an unauthorized individual to access sensitive information. The mistake occurred when a developer failed to implement proper encryption protocols, leaving confidential data vulnerable to exploitation. This oversight created a backdoor through which malicious actors could infiltrate the system and gain access to critical information.
The Australian Communications and Media Authority (ACMA) has revealed that the security measures controlling access to an idle API, originally intended to allow customers to retrieve information from the Optus website through a subdomain, have been successfully bypassed by a vulnerability.
The Australian Communications Media Authority (ACMA) asserts that, despite Optus identifying and rectifying a coding error on its main website platform in August 2021, the telecommunications provider failed to detect and remedy an identical error impacting its sub-domain. The API’s transition to an internet-facing platform in 2020 left Optus vulnerable to a cyber attack.
ACMA claims that Optus failed to identify several opportunities to detect the error over a four-year period, including when it was first launched into a production setting following evaluation and testing in 2018, when it became internet-facing in 2020, and when the coding error was initially detected at its primary site.
According to court documents, the goal area remained idle and vulnerable to attack for two years without being decommissioned despite a lack of demand for its use.
A cybercriminal successfully exploited a coding flaw in 2022.
A coding error enabled an unauthorised actor to circumvent API entry controls for three consecutive days in September 2022, according to the Australian Communications and Media Authority (ACMA), thereby permitting illegitimate access to sensitive personal identifiable information (PII) of customers.
The ACMA notes that the cyber attack on Optus was not sophisticated, nor did it necessitate exceptional skills or access to proprietary information about the company’s processes or methods, but rather was executed through a straightforward process of trial and error.
It appears that Optus has discovered evidence suggesting a sophisticated cyber attacker deliberately took steps to avoid being detected.
After ACMA’s submission of proceedings to a federal court, Optus acknowledged an unforeseen weakness stemming from a long-standing coding fault. Optus has announced its intention to work collaboratively with the Australian Communications and Media Authority (ACMA), while reserving the right to vigorously defend any necessary aspects of the case to ensure a thorough outcome.
According to Optus’ Interim CEO Michael Venter, a sophisticated criminal exploited the vulnerability, successfully evading and circumventing multiple layers of authentication and detection controls by mimicking legitimate user behavior through a vast array of IP addresses numbering in the hundreds of thousands.
According to reports, the personal identifiable information (PII) of over 9.5 million Australians was compromised during a significant data breach in 2022, exposing sensitive details to unauthorized access. The compromised database contained sensitive information including clients’ full names, start dates, phone numbers, home addresses, driver’s license details, and passport and Medicare card numbers, some of which have since appeared on the dark web.
Australia’s privacy watchdog has accused health insurer Medibank of serious cybersecurity failures that put thousands of customers at risk.
The Australian Information Commissioner accused Medibank of laying the groundwork for its data breach by neglecting to implement multi-factor authentication controls for digital personal community access, as well as ignoring numerous alerts from its endpoint detection and response system, ultimately paving the way for the incident.
The Australian Information Commissioner (AIC) has identified significant shortfalls in Medibank’s cyber security measures.
According to the Australian Information Commissioner (AIC), hackers gained unauthorized access to Medibank’s systems due to inadequate security measures, specifically an unsecured contractor’s account with compromised username and password credentials. His personal computer was compromised by malicious software, allowing unauthorized access to the synced credentials.
The Australian Information Commissioner (AIC) alleged that a contractor working for Medibank’s IT service desk compromised the health insurance company’s security by saving its login credentials in their personal web browser profile on a work-issued computer. When he subsequently logged in to his personal PC’s web browser profile, the synchronized credentials were compromised and stolen by malicious malware.
The provided credentials consisted of a standard user account and an administrative account. The administrative account granted access to “most, if not all,” of Medibank’s procedures, along with community drivers, administrative consoles, and remote desktop access to bypass servers that allowed entry into specific Medibank directories and databases.
Following login authentication on Medibank’s Microsoft Alternative Server to verify admin account credentials, the Australian Cyber Security Centre (AIC) reports that the malicious actor gained access, enabling them to authenticate and subsequently log onto Medibank’s International Defense VPN. As MFA wasn’t enabled, traditional authentication methods relied on either certificate-based tools or a combination of usernames and passwords.
From Aug. 25 to Oct. On January 13, 2022, the malicious actor exploited “multiple IT vulnerabilities,” gaining insight into the underlying architecture of Medibank’s databases through several of these compromised entry points. The criminal exploited vulnerabilities in Medibank’s MARS Database and MPLFiler systems, successfully extracting approximately 520 gigabytes of sensitive information.
The Australian Institute of Criminology (AIC) claims that Medibank’s endpoint detection and response security system produced disparate alerts throughout various stages of the adversary’s intrusion, but these alerts were not prioritized and escalated by the cybersecurity team until October. 11.
Medibank takes a proactive approach to cyber security, bolstering its digital defences to safeguard against potential threats.
Sensitive information extracted during the security breach was subsequently disseminated across the dark web, compromising confidential details such as names, birthdates, genders, Medicare identification numbers, home addresses, email addresses, phone numbers, and visa information for international employees and customers.
Sensitive personal health data, including buyer wellbeing claims information, was inadvertently printed alongside patient details, including names, supplier information such as location and contact details, analysis numbers, process numbers and treatment dates, as noted by the AIC.
Following the breach, Deloitte conducted an external investigation to assess the incident’s scope and impact. In response, Medibank issued a statement. The wellbeing insurer was introduced by the Association of Insolvency and Credit Management (AIC).
