Strewth: Hackers slurp 19 years of Oz student data in uni's second breach within a year

Upgraded its systems after attack in early '18, just enough to detect attack in late '18


The Australian National University (ANU) today copped to a fresh breach in which intruders gained access to "significant amounts" of data stretching back 19 years.

The top-ranked Oz uni said it noticed about a fortnight ago that hackers had got their claws on staff, visitor and student data, including names, addresses, dates of birth, phone numbers, personal email addresses, emergency contact details, tax file numbers, payroll information, bank account details and passport details. It said the breach took place in "late 2018" – the same year it 'fessed up to another lengthy attack.

Students will be miffed to find out that someone knows they had to retake second-year Statistics since academic records were also accessed.

The uni insisted: "The systems that store credit card details, travel information, medical records, police checks, workers' compensation, vehicle registration numbers, and some performance records have not been affected."

The news comes less than a year after the Canberra-based uni admitted its networks had been hit by a months-long attack, which many in the country's media theorised had originated in China – a claim the People's Republic strenuously denied. At the time, ANU said it had "been working in partnership with Australian government agencies for several months" to fend off the attack.

In a statement released today, the institution's vice-chancellor, astrophysicist and Nobel laureate Brian Schmidt, admitted that if the uni had not made those upgrades last year in the wake of the early 2018 attacks, this breach would have gone undetected.

He said: "As you know, this is not the first time we have been targeted. Following the incident reported last year, we undertook a range of upgrades to our systems to better protect our data. Had it not been for those upgrades, we would not have detected this incident."

Schmidt described the attacker as a "sophisticated operator" and said the uni had "no evidence that research work has been affected".

The uni is home to the ANU Research School of Astronomy and Astrophysics and operates the country's largest optical observatory. Among other things, it houses the SkyMapper project, which is robotically creating the "first comprehensive digital survey of the entire southern sky" and has been releasing the data set on the internet.

CSIRO's PAF being hoisted into position at Parkes

Interview: AARNet's Peter Elford on Australia's national research infrastructure

READ MORE

Boffins at the uni are still looking for human eyeballs to grok Planet 9, the theorised but undiscovered planet beyond Pluto, in images released by the project. Those interested can seek it or other objects at our solar system's edges here.

ANU is also home to iTelescope.Net, which looks after a network of internet-connected public telescopes popular among amateur and semi-professional astronomers across the globe.

The place is ranked 24th in the QS World University Rankings, but has a strong academic reputation. According to the rankings, it has more citations per faculty member than Cambridge.

The vice-chancellor, who co-bagged the world's top physics prize in 2011 "for the discovery of the accelerating expansion of the Universe through observations of distant supernovae" – and chummily signed off as "Brian" – said:

For the past two weeks, our staff have been working tirelessly to further strengthen our systems against secondary or opportunistic attacks. I'm now able to provide you with the details of what occurred.

We believe there was unauthorised access to significant amounts of personal staff, student and visitor data extending back 19 years.

Depending on the information you have provided to the University, this may include names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed.

The University has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion.

The uni set up a direct phone and email help lines and increased its "counselling resources" for those affected.

Not to let us down, the outfit said it took the breach "extremely seriously" and had "profound regret".

As the uni's motto, Naturam Primum Cognoscere Rerum*, attests, above all, find out the "nature of things". Perhaps the next upgrade will help it to actually fend off an attack. ®

* Derived from the Lucretius poem "De Rerum Natura" (book III, 1072)... the point of the poem was to explain Epicurean philosophy - moderation in everything - to a Roman audience.

Broader topics


Other stories you might like

  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading

Biting the hand that feeds IT © 1998–2022