In October 2022, Medibank Private confirmed that attackers had accessed the personal and medical records of approximately 9.7 million current and former customers. The attacker then exfiltrated that data and threatened to publish it unless a ransom was paid. Medibank refused. The data was published.
How the Attack Happened
The initial access vector was a set of stolen credentials belonging to a third-party IT service provider. Those credentials were used to access Medibank's network via a remote management tool. There was no multi-factor authentication protecting that access point. Once inside, the attacker moved laterally and identified the data they wanted before exfiltrating it.
Why This Matters Beyond Healthcare
The Medibank incident is not a healthcare story. It is a credentials story. Stolen credentials, an exposed remote access tool, and no MFA — these are conditions that exist in businesses of every size and sector across Australia. The data happened to be medical records. It could have been financial records, client files, or employee information.
The Regulatory Consequence
The Office of the Australian Information Commissioner launched an investigation. The Australian Federal Police attributed the attack to Russian cybercriminal group REvil. Medibank faces ongoing regulatory action and potential penalties under the Privacy Act. The reforms proposed following this incident significantly increase maximum penalties for serious breaches.
Practical Takeaways
Three actions that would have changed the outcome: MFA on all remote access tools, network segmentation limiting lateral movement, and a vendor access review ensuring third-party credentials are scoped to minimum necessary access. None of these require enterprise-grade infrastructure. They require deliberate implementation.
How do I know if my remote access is properly protected?
Check every tool that allows external access to your environment — VPNs, Remote Desktop, remote management software. Confirm MFA is enforced. Confirm third-party access is documented, scoped, and reviewed regularly. A security review will surface gaps before an attacker does.
