Medibank failed to implement the following specific security measures: Multi-factor authentication for its Virtual Private Network (VPN): Medibank did not require two or more ways of proving a user’s identity for accessing its VPN. This means that the hackers only needed someone’s username and password to gain access to Medibank’s corporate network. ...