From one of the Largest Data Breaches in Australian History
On 5 June 2024, the Australian Information Commissioner filed civil penalty proceedings in the Federal Court against a prominent Australian health insurance provider due to a significant data breach that occurred in October 2022. On 17 June, 2024, the Office of Australian Information Commissioner published a concise statement detailing the events surrounding the breach.
The statement sheds light on critical missteps by the Insurer. In this short post, let’s firstly analyse those key missteps, and then our recommendations for dealing with similar scenarios based on the information security principles.
Misstep 1: Poor Login Credential Management
An IT Service Desk Operator at the Insurer stored work login credentials in his personal internet browser profile on his work computer. These credentials synchronised to his personal computer, which was later compromised by malware, resulted in the theft of credentials by a threat actor.
Recommendation: avoid saving work login credentials in browser profiles. If traditional username/password login method is used, enforce Multi-Factor Authentication (MFA) as a standard practice. Alternatively, consider adopting passwordless login methods for enhanced security and stronger resistance to phishing attacks.
Misstep 2: Excessive Privileges and Weak Access Controls
The compromised credentials granted both standard and administrative access to most of the Insurer’s systems without segregation of duties. Additionally, the “Global Protect” VPN used for remote access lacked MFA.
Recommendation: follow the information security principles of Separation of Duties and Least Privilege. Separate standard login access from privileged admin access. Furthermore, implement “Just-in-Time” access for privileged admin functions. Ensure all remote access mechanisms, like VPNs have MFA enforced.
Misstep 3: Inadequate Security Monitoring
The Insurer’s Security Operations Center (SOC) mishandled critical security alerts from the Endpoint Detection and Response (EDR) software, failed to respond promptly to suspicious activities involving privileged accounts.
Recommendation: Establish robust security monitoring processes and procedures to effectively detect and respond to security alerts. Configure volumetric alerts to promptly identify and mitigate large-scale data exfiltration attempts from sensitive servers.
Misstep 4: Data Exfiltration Without Blockage
The threat actor successfully exfiltrated a substantial amount of data from the Insurer’s systems without encountering effective blocks or alerts.
Recommendation: Implement comprehensive Data Loss Prevention (DLP) policies and mechanisms across all critical information assets to prevent unauthorised data downloads and ensure timely detection of such activities.
In conclusion, a significant data breach avalanching from a simple and easy to address password issue. This shows the importance of adhering to guidance including the Essential 8 and demonstrates that irrespective of the size of an organisation, we need to continually monitor the effectiveness of our cyber security controls.
