We can learn plenty of lessons from various hacking scenarios around the world. In this article, I want to focus on the Medibank hack scenario. This is only one of the many scenarios I want to tackle in the future, but we’ll concentrate on the Medibank case for now.
The Medibank Hack Incident
We’ve got a lot of feedback and reports surrounding the hacking of Medibank — one of Australia’s largest private health insurance providers — but little detail on what actually occurred.
Let’s take a look at this excerpt from The Conversation that somewhat dove into the details of what happened.
The hacker sold the Medibank employee’s credentials to REvil, a notorious cybercriminal group. This group then threatened to release the data they stole within 24 hours if Medibank failed to send them a ransom of an undisclosed amount.
What Exactly Could Have Happened?
After reading several articles on this case, my best guess is that the credentials were taken from the employee through a phishing attack.
A phishing attack is when a hacker sends you an email asking you to go to another website — usually an imitation of a well-known legitimate website — and enter your email, password, and other sensitive information.
Alternatively, the employee somehow lost their username and password, but them falling victim to a phishing attack is more likely.
Now, I’m going into what I believe Medibank could’ve done to prevent this incident from happening.
Use a Zero Trust Policy
Most companies that handle sensitive consumer data implement a Zero Trust policy. This is a framework where users have the minimum amount of access to any information within the company.
It’s difficult to say for sure whether or not the Medibank employee should’ve had access to the company’s repositories. However, if that employee didn’t have access to the data when they didn’t need it, then the hack wouldn’t have happened.
Use Multi-Factor Authentication
It’s also unclear whether or not the employee had multi-factor authentication (MFA) access to the repositories.
Here’s another interesting point: when incidents like this happen, it’s never because of a single thing. Rather, it’s a combination of things.
In essence, the phishing scam alone wasn’t enough to execute the full attack. Let’s say the hackers did compromise the Medibank employee’s number, username, and password, and let’s say they were able to log in. MFA would have stopped the hack right there and prompted Medibank of an unauthorized login — if it was enabled.
Terminate Accounts or Reset Passwords
Not mentioned in some articles: the employee reportedly left Medibank before the incident happened. Therefore, all of their accounts should’ve been terminated at that point. However, according to some sources, the account with repository access wasn’t terminated.
This also wasn’t mentioned in many articles: there was a three-to-six-month time interval between the date the hackers acquired the employee’s credentials and when they sold them to REvil.
During that period, Medibank could’ve forced reset the password of their employee’s account, and the attack could’ve been prevented.
A Combination of Mistakes
As a recap, if any of the following steps were followed, the attack wouldn’t have occurred:
- Avoid phishing scams
- Terminate the account
- Reset the password
- Implement Zero Trust policy
- Activate MFA
Overall, the Medibank hack scenario isn’t a one-sided failure — it’s a failure of a system across multiple processes.
To be clear, no reports or releases have been published yet to confirm my interpretation of what happened. However, it’s the best explanation I can come up with just by piecing the facts together.
The Bottom Line
Businesses should be security-conscious at all times. It’s crucial to run as many security processes as possible to make them fail-safe. If you fall for a phishing scam, MFA can save you. If your credentials get compromised even if you follow good password hygiene, you can force reset your password if necessary.
Security concerns are becoming more pressing, and I’m going to talk about various compliance frameworks and how they could’ve prevented the Medibank hack scenario from happening. For now, it seems that Medibank — even the size they are — didn’t follow such best practices, and it’s a good lesson for all businesses to consider.