The Australian National University is in damage control after discovering a major data breach a fortnight ago in which a “significant” amount of staff and student information was accessed by a “sophisticated operator”.
The university has confirmed an estimated 200,000 people have been affected by the hack, based on student numbers each year and staff turnover.
In a message to staff and students, vice-chancellor Brian Schmidt said someone illegally accessed the university’s systems in late 2018.
“We believe there was unauthorised access to significant amounts of personal staff, student and visitor data extending back 19 years,” Schmidt said.
Information accessed in the data breach includes: names, addresses, dates of birth, phone numbers, personal email addresses, emergency contact details, tax file numbers, payroll information, bank account details, passport details and student academic records.
The university said stored credit card details, travel information, medical records, police checks, workers’ compensation, vehicle registration numbers and some performance records have not been affected.
“We have no evidence that research work has been affected,” Schmidt said.
ANU is working closely with Australian government security agencies and industry security partners to investigate the attack further, he added.
“Following the incident reported last year, we undertook a range of upgrades to our systems to better protect our data. Had it not been for those upgrades, we would not have detected this incident,” Schmidt said.
Cyber security expert Greg Austin from the University of New South Wales said universities in Australia are a prime target.
He characterised the scale of this attack in the middle to top end.
“It’s fair to say states, major powers with cyber espionage capabilities do target universities … because the elites of various countries attend those universities,” he told Guardian Australia.
The academic said some foreign students studying in Australia would be the sons and daughters of overseas power-brokers or future leaders themselves.
Austin said corporations under cyber attack often become quite disorientated by the experience and are unsure whether to double or triple their investment in cyber security.
“One can’t necessarily blame ANU in a sense, these sort of attacks, if they’re a sophisticated foreign government, they will get this sort of information that’s been stolen by hook or by crook,” he said.
The Australian Cyber Security Centre confirmed it is working with ANU to secure the networks, protect users and investigate the full extent of the compromise.
“This compromise is a salient reminder that the cyber threat is real and that the methods used by malicious actors are constantly evolving,” a spokesman said.
“Unfortunately, a malicious actor with sufficient capability, time and resources will almost always be able to compromise an internet-connected computer network,” the spokesman said.
Australian Signals Directorate advised that it does appear to be the work of a sophisticated actor.
The university has set up a hotline for staff and students concerned about the breach: 1800 275 268.