ANU staff and student data stolen in breach
The personal data of staff, students and visitors to the Australian National University extending back 19 years appear to have been compromised by attackers, the university has disclosed.
A “sophisticated operator” illegally infiltrated the ANU’s systems in late 2018, accessing and copying data including student academic records and bank account details of staff, according to Vice Chancellor Brian Schmidt. The breach was not detected until May.
The compromised data also included names, addresses, dates of birth, phone numbers, payroll information, tax file numbers and passport details.
Systems storing credit card details, medical records and other more sensitive information were not affected, ANU email accounts were not compromised and the university has no evidence that any research data was stolen.
The attack could have national security implications due to the ANU’s role in providing mid-career education to government officials including military personnel, as well as its role in defence and other sensitive research.
Schmidt said the data breach would not have been detected if the university had not upgraded its systems following the incident reported in July last year whereby suspected Chinese hackers infiltrated ANU systems.
While media reports at the time cited concerns among security officials that the attackers had compromised research information with potential national security implications, the ANU released a statement indicating that it believed no student or research information was stolen.
The university has stated that it is too early to say whether the latest breach is related to the previous one.
The ANU has established a dedicated help line for individuals seeking more information on the latest breach or who have specific security concerns, and has increased counselling resources available to students and staff, Schmidt said.
“We must always remain vigilant, alert and continue to improve and invest in our IT security,” he said. “I assure you we are taking this incident extremely seriously and we are doing all we can to improve the digital safety of our community.”
The university is urging all potentially affected students, staff and alumni to change their passwords, and will require all accounts whose passwords have not been reset since November last year to change their passwords from next week.
In response to the breach, Education Minister Dan Tehan has also promised to ask all university vice chancellors to attend a briefing with the Australian Cyber Security Centre focused on ensuring universities are utilising cybersecurity best practices.
Adam Biviano, Principal Solution Architect at digital identity management platform provider ForgeRock, said universities are increasingly falling into cybercriminals’ crosshairs.
“Personal identity information remains the Holy Grail of cybercriminals as there are many avenues to profit from it. Education providers may store and manage millions of consumer data records and thus are finding themselves under a constant barrage of cyber attacks,” he said.
“Not only does a breach impact a business with the potential to inflict brand damage and reduce revenues, it can also see impacted customers pay a hefty personal price given they may now be directly in the sights of the perpetrator as they look to cash in.”
US credit rating agency Equifax has agreed to pay at least $818m in customer compensation and...
Juniper Research has predicted that the number of people using government-issued digital identity...
Following reports of preventable incidents, the Australian Cyber Security Centre is urging...