The private Australian health insurer Medibank did not have multi factor authentication protections on its private network when it was successfully hacked, new court filings allege.

The Office of the Australian Information Commissioner (OAIC) alleges a lack of multi factor authentication at Medibank led to the 2022 data hack of nearly 9.7 million current and previous customers.

Documents filed to the Federal Court on Monday by the OAIC allege the massive data breach stemmed from an employee of a Medibank contractor, an IT service desk operator, who saved his login details to a personal web browser installed on his work computer.

When he then signed into his internet browser on his personal computer, the credentials were synced to that device.

Those details were then stolen from his personal computer on or around August 7, 2022, with malware, and the thief was then able to access Medibank’s Microsoft Exchange Server and virtual private network (VPN).

“Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA),” the court documents said.

“Rather, Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required.”

The hack led to the personal details, including names, addresses, Medicare numbers health information and financial information of past and present Medibank and ahm customers being published on the dark web.

The OAIC is alleging Medibank breached sections of the Privacy Act by not taking enough steps to protect the sensitive information it held about its customers.

In 2018 and 2020, Medibank was made aware of weaknesses and vulnerabilities in its cyber security, including “deficiencies regarding insecure or weak password requirements”.

A separate report by Datacom in 2020 found a “number of individuals had been given excessive privileges to perform simple daily routines, and that MFA had not been enabled for privileged and non-privileged users which was described as a ‘critical’ defect”.

Richard Buckland, a cyber security expert at the University of NSW, describes the allegations in the filing documents as “just shocking”.

He says the login details allegedly accessed from a synched IT worker’s personal computer appears to just be the “proximate cause” of what happened next.

“It shouldn’t have led to such a catastrophic chain of events,” he says.

He says the filings allege there was “audit after audit” on Medibank’s cybersecurity systems and “deficiencies in their systems” that allowed hackers to get into them.

“It’s no surprise the regulator is outraged and reacting so vigorously.”

Big potential fines

Each contravention comes with a maximum penalty of $2.22 million.

The commissioner is alleging a contravention for each of the 9.7 million customers, which works out to a potential maximum fine of more than $21 trillion.

It will be up to the Federal Court whether any fines are applied.

Changes to the Privacy Act in late 2022 set the maximum fine a company could receive at $50 million or 30 per cent of its turnover during the period of the breach, whichever was greater.

However, the Medibank breach occurred before those new laws were in place and is subject to the old penalties.

Medibank declined to comment.

Posted , updated