A recent cyber attack at Deakin University which compromised the data of tens of thousands of students has led experts to place the sector on high alert.
Last week, hackers stole the login details of a single Deakin staff member and unlocked the personal details of 46,980 past and current students.
This included individuals' names, past academic results, mobile phone numbers and email addresses.
A phishing text was then sent to nearly 10,000 students through a third-party provider asking for credit card details to pay for "an urgent customs fee".
Ryan Ko, a cybersecurity professor from the University of Queensland, said universities have become an increasingly alluring target for hackers.
“Universities are an attractive place for cyber criminals mainly because they are at the interface of many things,” Ko told Campus Review.
“They do exciting research, which could potentially be stolen and be used on underground markets to sell the IP to potential customers, or they could also be interfacing with multiple countries and multiple government officials and agencies.”
Cybersecurity incidents within the education sector hit record highs in 2021, with at least four major Australian universities hit by online attacks.
According to data from the Australian Cyber Security Centre, 6.2 per cent of cyber security incidents during the period of 2021-22 were reported by education and training providers.
Ko said this is likely to increase over time as perpetrators become more sophisticated and harder to identify.
“We're going to see these opportunistic cybercriminals knowing that the odds are not against them, they're actually for them,” he said.
“In fact, we are starting to see a shift from traditional crime into cyber and cyber-enabled crime from the statistics we have seen so far.”
A recent audit by the Victorian government found a major cyber weakness among universities was a lack of consistent policies and procedures around third-party service providers.
Coupled with an overreliance on IT systems, led by the shift to remote learning, administrators are now dealing with a minefield of digital risks, Ko said.
“In the case of this recent Deakin cyber attack, it involved a third party provider sending an SMS, so it's also unclear whether the third-party provider sending the SMS spam was of a high enough cyber security posture."
“There has to be a system where we are able to certify, or at least the suppliers to the universities can attest to, or vouch for some level of cybersecurity maturity," Ko said.
In a blog post, Deakin University said it had launched an investigation into last week's breach and had engaged with the Office of the Victorian Information Commissioner.
"Deakin continues to investigate the incident and is working with the third-party provider to ensure security protocols are enhanced to prevent any recurrence of this breach," a statement read.
"Malicious attacks are becoming more commonplace, and more difficult for individuals to detect, however, we must all remain vigilant."
Campus Review has contacted Deakin University for further comment.Do you have an idea for a story?
Email [email protected]