The Australian National University is currently assessing the full extent of the data breach that was discovered in mid April, and are claiming that it was carried out by a ‘sophisticated’ attacker. The beach lead to a significant amount of both student and staff information being accessed and stolen, with the university confirming that an estimated 200,000 people have been affected by the hack. In a message to staff and students, vice-chancellor Brian Schmidt said someone illegally accessed the university’s systems in late 2018.
“We believe there was unauthorised access to significant amounts of personal staff, student and visitor data extending back 19 years,” Schmidt said.
Information accessed in the data breach includes: names, addresses, dates of birth, phone numbers, personal email addresses, emergency contact details, tax file numbers, payroll information, bank account details, passport details and student academic records.
It’s important to note that the university said stored credit card details, vehicle registration numbers. travel information, medical records, police checks, and some performance records have not been affected. “We have no evidence that research work has been affected,” Schmidt said.
ANU is working closely with Australian government security agencies and industry security partners to investigate the attack further, he added.
This isn’t the first time the University has been attacked, although previous security incidents caused ANU to upgrade their systems, installing new tools and processes to improve their ability to detect and respond to Cyber attacks. “Following the incident reported last year, we undertook a range of upgrades to our systems to better protect our data. Had it not been for those upgrades, we would not have detected this incident,” Schmidt said.
Unfortunately, sometimes a Cyber attack (that does minimal damage) is just what an organisation needs to remind them of the real and persistent dangers.
Universities are prime targets for hackers, from Nation-State groups, organised crime, and even that kid living in his mums basement. Due to the information they hold, and who they hold it on (think about the kids of foreign leaders and business people, for example). Often universities lack the technology and expertise to adequately protect this most sensitive information.
The Australian Cyber Security Centre confirmed it is working with ANU to secure the networks, protect users and investigate the full extent of the compromise. The Australian Signals Directorate, who Evisent partners with in the MSP3 program, advised that it does appear to be the work of a sophisticated actor.
The university has set up a hotline for staff and students concerned about the breach: 1800 275 268.