A Deakin University cyber attack has compromised the contact details of nearly 47,000 current and past students, as well as some of their recent results
Deakin University’s hacker gained access to a staff member’s usernames, passwords and information stored by a third party provider.
The university said in a statement it became aware of the incident on Sunday, when someone hacked the staff member’s username and password to access the university’s information
The breach included a text message that was sent to 9997 students requesting to make a payment for customs fees to have a parcel delivered.
The hacker also obtained the contact information of 46,980 Deakin students including student IDs, mobile numbers, email addresses, comments, and recent unit results
Deakin University said in a statement immediate action was taken to stop any further SMS messages being sent to students and an immediate investigation into the data breach had commenced
“We are continuing to investigate the incident, has engaged with the Office of the Victorian Information Commissioner and is working with the third-party provider to improve cybersecurity,” said Deakin University.
Students who received the scam text have been advised to change their Deakin password as soon as possible and not to respond to the communication.
The university also said it would report the breach and seek guidance from the Office of the Victorian Information Commissioner (OVIC) and it is continuing its own investigation into the incident, as well as working “with the third party provider to ensure security protocols have been enhanced to prevent any recurrence.”
The privacy watchdog also notes that universities are complex organisations with many different but interlinked businesses.
The cyberattack closely follows the release of an Office of the Victorian Information Commissioner (OVIC) report on the security of personal information held by Victoria’s universities.
“It can be challenging for a university to implement effective data governance, especially where the business units operate separately,” says the OVIC report.
The OVIC also says Victorian universities, including Deakin, have prioritised ICT and cyber security risks. That includes training staff on cybersecurity issues, conducting Privacy Impact Assessments for new projects involving personal information, and having a data breach response plan.
Scott Leach, VP of APJ at cybersecurity firm Varonis says the rise of cyber-attacks on Australia’s Education industry highlights just how important it is for organisations to have tight control over their data – this means knowing exactly who has access to what, and which data presents the highest risk if it were to be exposed
“With cyber-attacks increasing in both prevalence and sophistication, it is becoming more difficult for organisations to even detect breaches when they do happen,”
“Australia’s education sector is routinely targeted by hackers, who know just how much valuable personal data lies within university, school and TAFE databases, and the immense disruption they can cause to the public by shutting down systems,” said Leach
The incident confirms that Victoria’s universities are increasingly subject to cybersecurity attacks. Last year, a cyberattack at rival Victorian university RMIT caused the suspension of new student enrolments there and temporarily halted the processing of staff payroll
Deakin says it sincerely apologises to those impacted by this incident and wants to assure the Deakin community that it is conducting a thorough investigation to prevent a similar incident from occurring again.
“Malicious attacks are becoming more common place, and more difficult for individuals to detect, however we must all remain vigilant. Deakin’s Cyber Security team is committed to protecting the personal information of our entire community.” says Deakin University
It’s currently unknown if any of the students have fallen victim to the scam. However, t it’s an occurrence that happens frequently.
Deakin University Cyber Attack Raises Security Questions
A legitimate question has been raised as to why a staff member would have authority to access records of such a diverse group of individuals, current and past students.
The third party provider could also face awkward questions about the level of protection it had to detect suspicious activity and prevent the exfiltration of the Victorian universities data.
Last year Swinburne University was also the victim of a data breach. Details about over 5000 employees and 100 students were published online. The data was discovered to have come from an event registration page that contained contact information and names of potential attendees.
In previous years, Australia National University and Australian Catholic University also had data breaches that affected thousands of people.
The State of Ransomware in Education 2022 survey, conducted by Sophos found that both higher and lower education – are increasingly being hit with ransomware, with 60% suffering attacks in 2021 compared to 44% in 2020.
