Medibank — The MFA That Wasn't

Medibank is Australia's largest private health insurer, holding sensitive medical records on millions of Australians. As a regulated entity, multi-factor authentication (MFA) on privileged access was both a documented internal requirement and a baseline industry expectation.

Two prior security reviews had flagged this exact gap. In mid-2020, a Datacom report identified MFA absence as a "critical defect." In August 2021, KPMG repeated the warning in its assessment. In both cases, leadership documented the finding and implementation plans were drafted.

In August 2022, an attacker obtained credentials belonging to an IT service desk contractor whose personal laptop was compromised. They used those credentials to log in to Medibank's Global Protect VPN — which did not enforce MFA. Endpoint detection alerts on 24 and 25 August 2022 flagged anomalous activity but were not triaged or escalated. Over the next six weeks, the attacker exfiltrated approximately 520 GB of customer data including health records.