news
campusreview.com.au
The year of the hack
ANU information security breach
points to troubling year ahead.
By Wade Zaglas
A
trove of personal data held
at one of Australia’s premier
universities has been accessed by a
“sophisticated operator”, signalling troubling
times ahead for data security.
According to a statement issued by
Australia National University’s vice-
chancellor Brian Schmidt, the hacker
accessed ANU’s systems in 2018, with the
university only discovering the breach in
May this year.
The information accessed – some of
which is nearly 20 years old – includes
highly sensitive data such as passport
details, student academic records, bank
details and tax file numbers.
“For the past two weeks, our staff
have been working tirelessly to further
strengthen our systems against secondary
or opportunistic attacks. I’m now able
to provide you with the details of what
occurred,” Schmidt said.
“We believe there was unauthorised
access to significant amounts of personal
staff, student and visitor data extending
back 19 years.
“Depending on the information you
have provided to the university, this may
include names, addresses, dates of birth,
phone numbers, personal email addresses
and emergency contact details, tax file
numbers, payroll information, bank account
details, and passport details. Student
academic records were also accessed.
“The systems that store credit card
details, travel information, medical records,
police checks, workers’ compensation,
vehicle registration numbers, and
some performance records have not
been affected.
“We have no evidence that research work
has been affected.”
Schmidt said ANU was working with
Australian government security agencies to
investigate the breach further and urged the
ANU community to follow the advice of the
chief safety information officer to safeguard
against further attacks.
This includes changing passwords,
screening incoming calls and using only
updated systems.
The university also provided increased
counselling resources for those affected
by the data breach.
The Australian Signals Directorate is
yet to identify who is behind the attack
and cannot say whether a state actor
was involved.
Although experts have not concluded
that China was behind the latest attack, they
believe it fits into a “pattern of behaviour”.
“The theory is they’re creating databases
they can mine for interesting intelligence
or counter intelligence purposes,” senior
analyst Tom Uren told The Canberra Times.
Experts believe ANU is a significant
target for international hackers because
of its close links to the government and
Australia’s intelligence community.
In Risk Based Security’s Mid-Year Data
Breach QuickView Report of 2018, Australia
ranked fifth in data breaches. The US
topped the list, with more than 1000
publicly disclosed data breaches in the first
half of 2018, followed by the UK, Canada,
India and Australia.
More alarmingly, the same report
found that Australia also ranked fifth in
the number of records exposed, with an
astronomical 20,035,981.
If experts are to be believed and the ANU
hack is indicative, 2019 is shaping up to
be a fruitful year for cyber criminals. In a
recent Forbes article, the CEO of ObserveIT,
Mike McKee, said:
“We expect nation-state threats to
increase significantly in 2019, particularly
targeting critical infrastructure.
"Critical infrastructure systems are
extremely vulnerable to both cybersecurity
and physical security risks.
“State-sponsored threats and high-level
hackers are constantly looking to gain
access to the critical infrastructure of
nations worldwide, with the intent of hitting
some of our most valuable systems.”
After the attack on ANU, digital identity
management company ForgeRock’s Adam
Biviano offered this sage advice:
“Personal identity information remains
the holy grail of cybercriminals as there are
many avenues to profit from it.
"Education providers may store and
manage millions of consumer data records
and thus are finding themselves under a
constant barrage of cyberattacks.
“Organisations from all industries
can protect identity information by
implementing a strong customer identity
strategy which includes understanding
how it is used and stored across different
lines of businesses and ensure that sensitive
personal information is only kept on
robust infrastructure.
“Not only does a breach impact a
business with the potential to inflict brand
damage and reduce revenues, it can
also see impacted customers pay a hefty
personal price given they may now be
directly in the sights of the perpetrator as
they look to cash in.
“Protecting customer data must be a
top priority for enterprises of all types
and industry sectors, as the evidence is
clear that cybercriminals show no sign of
slowing down." ■
3