[ad_1]
2022 has been a year of cybersecurity breaches in Australia.
Telecommunications provider Optus and private health insurer Medibank both suffered massive data breaches affecting tens of millions of Australians, leading to a heightened regulatory and corporate focus on cybersecurity in the years since.
Both data breaches have also sparked legal action, with recent court documents detailing the technical factors alleged to have caused them. For Optus, a coding error in an exposed dormant API provided access, while stolen credentials on an administrator account opened the door to Medibank’s customer data.
What caused the Optus data breach?
The Australian Communications and Media Authority (ACCA) said a coding error in the access controls of a dormant internet-facing API allowed cybercriminals to breach Optus’ network defenses and expose the personally identifiable information of 9.5 million former and current customers in 2022.
How Coding Errors Lead to Security Vulnerabilities
in a Statement of claim attached to the court order issued in June 2024ACMA detailed how access controls to the unused API failed because the API was originally designed to allow customers to access information on the Optus website via a subdomain. Coding Errors in 2018.
ACMA claims that while Optus discovered and fixed a coding error in its main website domain in August 2021, the telco did not detect and fix the same error affecting subdomains. This meant that when the API was exposed to the internet in 2020, Optus was vulnerable to a cyberattack.
look: Australia’s chief information security officers urged to pay close attention to data breach risks
ACMA claims Optus missed several opportunities to identify the error over a four-year period, including when it was released to production after review and testing in 2018, when it was made internet-ready in 2020, and when a coding error was detected on the primary domain.
“The target domain was allowed to remain idle for two years and was extremely vulnerable to attack, but was not deactivated despite there being no need for it,” the ACMA said in court documents.
In 2022, a cybercriminal took advantage of this coding error
ACMA claims that the coding error enabled the cyber attacker to bypass API access controls and send requests to the target API over three days in September 2022 that successfully returned customers’ PII.
The ACMA further noted that the cyberattack was “not highly sophisticated and did not require advanced skills or proprietary or internal knowledge of Optus processes or systems” and was instead “conducted through a simple trial-and-error process”.
Optus says hackers actively avoided detection
Optus confirmed the previously unknown vulnerability, which stems from a historical coding error, after the ACMA filed Federal Court proceedings. Statement to iTnewsOptus said it would continue to work with the ACMA but would defend its actions where necessary to correct errors.
Optus interim CEO Michael Venter told the publication that the vulnerability was exploited by “motivated and determined criminals” who evaded and bypassed various authentication and detection controls, including by rotating tens of thousands of IP addresses to mimic usual customer activity.
In the 2022 breach, cyber attackers gained access to PII of more than 9.5 million Australians. This included customers’ full names, dates of birth, phone numbers, residential addresses, driver’s license details, and passport and health insurance card numbers, some of which was later posted on the dark web.
Australia’s privacy watchdog accuses Medibank of serious cybersecurity breaches
The Australian Information Commissioner alleges that Medibank’s failure to implement security controls such as MFA for virtual private network access, as well as its failure to act on multiple alerts from its endpoint detection and response security systems, paved the way for its data breach.
AIC accuses Medibank of serious cybersecurity breach
exist Court documents from Australia’s privacy regulator’s case against MedibankAIC claims that a Medibank contractor’s username and password credentials allowed criminals to hack into Medibank. The credentials were later synced to his personal computer and extracted via malware.
AIC claims that an IT help desk operator contractor saved Medibank credentials to his personal internet browser profile on his work computer. When he later logged into the internet browser profile on his personal computer, the credentials were synced and then stolen via malware.
look: Can Australia escape its cybersecurity skills shortage?
The credentials included a standard access account and an administrator account. The administrator account had access to “most, if not all, Medibank systems,” including network drivers, the management console and remote desktop access to jump box servers, which were used to access certain Medibank directories and databases.
After logging into Medibank’s Microsoft Exchange Server to test the administrator account credentials, AIC claims the threat actor was able to authenticate and log into Medibank’s Global Protect VPN. Since MFA was not enabled, only a device certificate or username and password was required.
Between August 25 and October 13, 2022, the threat actors accessed “numerous IT systems,” some of which provided information about the structure of Medibank’s databases. The criminals went on to extract 520 GB of data from Medibank’s MARS database and MPLFiler system.
The AIC claims that Medibank’s endpoint detection and response security systems generated various alerts regarding the threat actor’s activities at different stages of infiltration, but these were not triaged and escalated by the cybersecurity team until October 11.
Medibank is beefing up its cybersecurity and will defend itself against AIC lawsuit
The data leaked in the breach, which was subsequently posted on the dark web, included names, dates of birth, gender, health insurance numbers, residential addresses, email addresses, phone numbers, and visa details of international workers and visitor customers.
look: CISO wants Australian businesses to avoid ‘accidental’ attacks
The AIC said the sensitive PII data released also includes customer health claims data, including patient name, provider name, provider location and contact information, diagnosis and procedure numbers, and treatment dates.
Deloitte, which conducted an external review of the breach, said in an update that Medibank Said that it has been cooperating with the OAIC investigation since the incident. Health insurance companies say It intends to defend the lawsuit Filed by AIC.
[ad_2]
Source link
