Medibank failed to implement the following specific security measures:
- Multi-factor authentication for its Virtual Private Network (VPN): Medibank did not require two or more ways of proving a user’s identity for accessing its VPN. This means that the hackers only needed someone’s username and password to gain access to Medibank’s corporate network.
- Proper triaging and escalation of security alerts: When the hackers were attempting to breach Medibank’s systems, the security software sent alerts to an IT security email. However, these alerts were not appropriately triaged or escalated by either Medibank or its service provider. This failure allowed the hackers to continue their activities without being detected.
- Strengthening password requirements: Internal audits and external consultants repeatedly warned Medibank about its insecure or weak password requirements. Despite these warnings, Medibank did not take sufficient steps to strengthen its password requirements, leaving its systems vulnerable to cyberattacks.
- Implementation of multi-factor authentication for privileged users: A KPMG report highlighted that multi-factor authentication had not been implemented for privileged users when accessing specific systems, backend portals, or supporting servers. This failure to implement multi-factor authentication for privileged users increased the risk of unauthorized access to sensitive information.
Just watch the lawsuits roll on