ANU hack points to troubling year ahead

A trove of personal data held at one of Australia’s premier universities has been accessed by a “sophisticated operator”, signalling troubling times ahead for data security.

According to a statement issued by Australia National University’s Vice Chancellor Brian Schmidt, the hacker accessed ANU’s systems in 2018, with the university only discovering the breach two weeks ago.

Information accessed – some of which is nearly 20 years old – includes highly sensitive data including passport details, student academic records, bank details and tax file numbers.

“For the past two weeks, our staff have been working tirelessly to further strengthen our systems against secondary or opportunistic attacks. I'm now able to provide you with the details of what occurred,” Dr Schmidt said.

“We believe there was unauthorised access to significant amounts of personal staff, student and visitor data extending back 19 years.

“Depending on the information you have provided to the university, this may include names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed.

“The systems that store credit card details, travel information, medical records, police checks, workers' compensation, vehicle registration numbers, and some performance records have not been affected.

“We have no evidence that research work has been affected.”

Dr Schmidt said ANU was working with Australian government security agencies to investigate the breach further and urged the ANU community to follow the advice of the Chief Safety Information Officer to safeguard against further attacks. These included changing their passwords, screening incoming calls and using only updated systems.

The university also provided increased counselling resources for those affected by the data breach.

The Australian Signals Directorate is yet to identify who is behind the attack and cannot say whether a state actor was involved.

Although experts have not concluded that China was behind the latest attack, they believe it fits into a “pattern of behaviour”.

"The theory is they're creating databases they can mine for interesting intelligence or counter intelligence purposes," senior analyst Tom Uren told the Canberra Times.

Experts believe ANU is a significant target for international hackers because of its close links to government and Australia's intelligence community.

In Risk Based Security’s Mid-Year Data Breach Quick-View Report of 2018, Australia ranked fifth in data breaches. The US topped the list, with more than 1000 publicly disclosed data breaches in the first half of 2018, followed by the UK, Canada, India and Australia.

More alarmingly, the same report found that Australia also ranked fifth in the number of records exposed, with an astronomical 20,035,981.

If experts are to be believed and the ANU hack is indicative, 2019 is shaping up to be a fruitful year for cyber criminals. In a recent Forbes article, CEO of ObservIT Mike McKee said:

“We expect nation-state threats to increase significantly in 2019, particularly targeting critical infrastructure. Critical infrastructure systems are extremely vulnerable to both cybersecurity and physical security risks.

"State-sponsored threats and high-level hackers are constantly looking to gain access to the critical infrastructure of nations worldwide, with the intent of hitting some of our most valuable systems.”

After the attack on ANU, digital identity management company ForgeRock’s Adam Biviano offered this sage advice: "Personal identity information remains the holy grail of cybercriminals as there are many avenues to profit from it. Education providers may store and manage millions of consumer data records and thus are finding themselves under a constant barrage of cyberattacks.

"Organisations from all industries can protect identity information by implementing a strong customer identity strategy which includes understanding how it is used and stored across different lines of businesses and ensure that sensitive personal information is only kept on robust infrastructure.

"Not only does a breach impact a business with the potential to inflict brand damage and reduce revenues, it can also see impacted customers pay a hefty personal price given they may now be directly in the sights of the perpetrator as they look to cash in.

"Protecting customer data must be a top priority for enterprises of all types and industry sectors, as the evidence is clear that cybercriminals show no sign of slowing down," Biviano said.

Do you have an idea for a story?
Email [email protected]