Hackers have obtained the personal data of staff, students and visitors to the Australian National University dating back almost 20 years after breaking into the university’s IT network.
A “sophisticated operator” accessed the university’s systems in late 2018, but the institution realised the breach only a fortnight ago.
“We believe there was unauthorised access to significant amounts of personal staff, student and visitor data extending back 19 years,” Vice-Chancellor Brian Schmidt said on Tuesday.
Information accessed includes some names, addresses, dates of birth, phone numbers, personal emails, tax file numbers, bank account details, passport details and student academic records.
The hacking did not affect credit card details, travel information, medical records, police checks, workers’ compensation, vehicle registration numbers and some performance records stored by the university.
Shadow treasurer Jim Chalmers, a former student of the ANU, said the breach was concerning.
“It appears to be quite a serious hack,” he said in Brisbane.
“No doubt more details will be discovered as the police go about their work, and we’ll wait to see the conclusions of that investigation.”
Today the University is informing its community it has been the victim of a data breach. The breach is the work of a sophisticated operator.
— ANU Media (@ANUmedia) June 4, 2019
Cyber security expert Tom Uren, a senior analyst at the Australian Strategic Policy Institute, told the ABC universities were good places to keep track of people’s histories.
“I imagine quite a few university students from ANU end up in federal government,” he told the ABC in August 2018.
“Inevitably some of them will become important people down the track.”
The Australian Signals Directorate told the ABC the hack appeared to be the work of a sophisticated actor. It said it was working with the university to secure networks, protect users and investigate the breach.
“This compromise is a salient reminder that the cyber threat is real and that the methods used by malicious actors are constantly evolving,” a spokesperson said.
The ASD said it was too soon to draw a connection between this most recent hack and other security breaches.
ANU Vice Chancellor Brian Schmidt reveals a massive data hack at the university, information dating back 19 years has been stolen https://t.co/yJ4Q0O4a2e @abcnews @politicsabc #auspol pic.twitter.com/xjqw54lFcr
— Matthew Doran (@MattDoran91) June 4, 2019
However, another former ANU student and academic, Labor MP Andrew Leigh, said such attacks were unfortunately becoming a fact of life. The university’s data breach follows attacks on the Bureau of Meteorology and Parliament House’s computer network.
“This is the new reality we live in,” he said.
The hack is the second ANU has suffered within a year, with the institution confirming in July last year it was working to “contain a threat to IT within the university”.
No staff, student or research information was taken on that occasion, the university said at the time.
System upgrades ANU undertook after that incident had allowed it to detect the latest incident, Professor Schmidt said.
“We must always remain vigilant, alert and continue to improve and invest in our IT security.”
The university has set up a confidential direct help line – 1800 275 268 – for anyone seeking more information or with particular concerns.
“I know this will cause distress to many in our community and we have put in place services to provide advice and support,” Professor Schmidt said.
The university’s chief information security officer has also issued advice for anyone who thinks they might have been affected, including resetting passwords and being cautious about opening some emails.