A premier Australian university has disclosed a cyberattack that compromised the personal information of its students and staff extending back nearly two decades.
“We believe there was unauthorised access to significant amounts of personal staff, student and visitor data extending back 19 years,” reads a statement from Brian Schmidt, Vice-Chancellor of the Australian National University (ANU).
The stolen data belongs to an estimated 200,000 people and includes “names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details”.
Other sensitive information, such as credit card details, medical records, research data and intellectual property, was not compromised. AMU is working with Australian government security agencies and security experts to investigate further.
Schmidt said that the incident occurred in late 2018, but wasn’t discovered until two weeks ago – on May 17 to be exact according to FAQs regarding the breach.
The university also published guidance for people affected by the breach. The advice can be distilled into three points – change your ANU password, don’t reuse it anywhere else, and be on your guard against suspicious emails that may follow after the intrusion.
Meanwhile, there’s no word on who may have been behind the breach. “Attribution is difficult, and we are not able to attribute this attack,” said the university. It did say, however, that the breach was the work of a “sophisticated operator”.
This was the second time within less than a year that the university was targeted by hackers. Last July, ANU disclosed a months-long battle to expel intruders who were said to have “utterly compromised” the university’s computer system.
The university said that it only spotted the more recent intrusion thanks to security enhancements implemented in the wake of that earlier incident. “Following the incident reported last year, we undertook a range of upgrades to our systems to better protect our data. Had it not been for those upgrades, we would not have detected this incident,” said Schmidt.
Universities in general make for an appealing target for attackers with various motivations. Besides the personal information of employees and students, universities hold massive amounts of highly-valuable and commercially-sensitive research data