Security Lessons From the Medibank Breach: Two Years On

The Medibank breach in late 2022 was a wake-up call for Australian businesses. Nearly 10 million current and former customers had their personal information, including sensitive health data, stolen and published by criminals.

Two years on, what have we learned? And more importantly, what should small businesses be doing differently?

What Actually Happened

Here’s the simplified version:

An attacker obtained credentials for a Medibank contractor account. That account had access to internal systems, including customer databases. The attacker used those credentials to access and exfiltrate data over several weeks.

When Medibank refused to pay the ransom, the attacker published sensitive health information online. The reputational damage, regulatory scrutiny, and remediation costs have been enormous.

The Key Failures

Credential compromise without MFA. The initial access came through stolen credentials. If MFA had been enforced on that account, the stolen password alone wouldn’t have been enough.

Excessive access privileges. The compromised account had broader access than necessary for its role. This allowed the attacker to reach sensitive customer data.

Insufficient monitoring. The attacker was inside the network for an extended period, exfiltrating large amounts of data. Better monitoring might have detected the unusual activity earlier.

Third-party risk management. The compromised credentials belonged to a contractor. Third-party access is a common vulnerability that organisations often underestimate.

None of these are exotic vulnerabilities. They’re basic security failures that happen at businesses of all sizes.

What This Means for SMBs

You might think a breach at a major health insurer isn’t relevant to your 30-person accounting firm. But the underlying failures are identical to what I see in small businesses every week:

Passwords without MFA: “We haven’t gotten around to MFA yet” is still something I hear constantly. The Medibank breach would likely have been prevented by MFA. How many small business breaches have the same root cause?

Everyone’s an admin: Small businesses often give broad access because it’s convenient. The principle of least privilege feels like bureaucracy when you’re a small team. But it exists for exactly this reason.

No one’s watching the logs: Most small businesses don’t monitor for unusual activity. They wouldn’t know if an attacker was in their network until something obvious happened - like ransomware encryption or a customer complaint.

Vendor access is a blind spot: Your IT support provider, your accountant’s remote access, that contractor who needed access once and never had it revoked - third parties are attack vectors.

Applying the Lessons

Lesson 1: MFA is non-negotiable

If Medibank had enforced MFA on contractor accounts, the stolen credentials wouldn’t have worked. The attack would have failed at the first step.

For your business:

  • Enable MFA on all accounts, especially those with remote access
  • Include contractors, temporary staff, and vendor accounts
  • Use authenticator apps, not SMS
  • Make it a condition of access, not a suggestion

Lesson 2: Least privilege matters

The attacker accessed data they shouldn’t have been able to reach from that account. Excessive privileges turned a limited compromise into a catastrophic breach.

For your business:

  • Review who has access to what
  • Remove access that isn’t needed for current roles
  • Create role-based access groups rather than individual permissions
  • Audit access quarterly

Lesson 3: Monitor for anomalies

Weeks of data exfiltration went unnoticed. Better monitoring might have caught unusual access patterns or large data transfers.

For your business:

  • Enable audit logging for critical systems
  • Set up alerts for impossible travel, unusual login times, bulk file access
  • Actually review those alerts (or have someone who does)
  • Know what “normal” looks like so you can spot “abnormal”

Lesson 4: Third parties are your risk

The compromised credentials belonged to a contractor, not an employee. Third-party access is often less controlled than internal access.

For your business:

  • Inventory all third-party access to your systems
  • Apply the same security standards to vendor accounts
  • Review contractor access when engagements end
  • Include third-party security in your risk assessments

The Regulatory Aftermath

Medibank faced intense regulatory scrutiny, including investigation by the Office of the Australian Information Commissioner. The organisation committed to substantial security improvements and faced questions about whether it had adequate security before the breach.

For SMBs, this is a reminder: if you experience a notifiable breach, regulators will look at your security posture. “We didn’t get around to basic controls” isn’t a defence.

The Privacy Act reforms are also tightening requirements, with higher penalties and broader coverage likely. The expectation of reasonable security measures is increasing.

The Human Cost

Beyond the regulatory and financial impacts, the Medibank breach caused real harm to real people. Sensitive health information - mental health conditions, HIV status, pregnancy terminations - was published online by criminals.

Security isn’t abstract. Behind the statistics are individuals whose private information became public through no fault of their own.

This is why we do security. Not to tick compliance boxes, but to prevent this kind of harm to people who trusted organisations with their data.

What Medibank Did Right (Eventually)

To their credit, Medibank refused to pay the ransom. This is the recommended approach - paying ransoms funds criminal enterprises and doesn’t guarantee data won’t be published anyway.

They also acknowledged failures publicly and committed to security improvements. Transparency during a breach is difficult but ultimately builds more trust than denial or minimisation.

The Positive Interpretation

The Medibank breach, along with the Optus breach around the same time, fundamentally changed Australian attitudes toward cybersecurity. Boards started asking questions. Budgets increased. Security became a topic at executive meetings.

If these incidents prompted your business to take security more seriously, something good came from the tragedy.

The question is whether that urgency persists or fades. Two years on, are you still prioritising security? Or has it slipped back down the agenda?

Action Items

If you want to apply Medibank’s lessons to your business:

This week:

  • Verify MFA is enabled on all accounts with remote access
  • Check for any contractor or vendor accounts that shouldn’t be active
  • Review who has access to your most sensitive data

This month:

  • Audit administrative privileges across your systems
  • Enable monitoring for unusual authentication activity
  • Test your backup restoration process

This quarter:

  • Conduct or update your risk assessment
  • Review third-party access controls
  • Brief your team on what you’ve learned and what you’re doing about it

The Medibank breach was a disaster for millions of Australians. Let’s make sure it wasn’t wasted. Learn the lessons. Apply them. Be better.