The vice-chancellor of the Australian National University has revealed that “significant amounts” of sensitive information relating to ANU staff, students and visitors was accessed during a data breach.
The data accessed extended back 19 years, Professor Brian Schmidt wrote in a message to students.
According to the ANU, the information accessed included names, addresses, phone numbers, dates of birth, emergency contact details, Tax File Numbers, payroll information, bank account details, student academic records, and student academic transcripts.
“Systems that store credit cards, travel arrangements, police history checks, workers' compensation, some performance development records or medical records have not been affected,” an FAQ document prepared by ANU said.
The university detected the breach on 17 May.
“Attribution is difficult, and we are not able to attribute this attack,” the FAQ document said. “This data breach has been referred to the appropriate agencies. The core issue for us is the safety of our community and protecting the integrity of our data.”
“In late 2018, a sophisticated operator accessed our systems illegally,” Schmidt wrote in his message. “We detected the breach two weeks ago.”
“For the past two weeks, our staff have been working tirelessly to further strengthen our systems against secondary or opportunistic attacks. I'm now able to provide you with the details of what occurred,” the ANU vice-chancellor wrote.
Schmidt said that the university was working with security agencies and “industry security partners”, and that ANU has “taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion.”
Last year the ABC reported that Chinese-based hackers were believed to have illicitly accessed ANU systems. At the time the university said no data believed was exfiltrated.
“As you know, this is not the first time we have been targeted,” Schmidt wrote in his message today. “Following the incident reported last year, we undertook a range of upgrades to our systems to better protect our data. Had it not been for those upgrades, we would not have detected this incident.”
The university’s chief information security officer, Suthagar Seevaratnam, issued security advice for students in the wake of today’s announcement, including resetting passwords if an individual’s ANU account password has not been reset since November last year.
The Australian Signals Directorate, through the Australian Cyber Security Centre, “is working with ANU to secure the networks, protect users and investigate the full extent of the compromise,” an ACSC statement said.
“This compromise is a salient reminder that the cyber threat is real and that the methods used by malicious actors are constantly evolving,” the statement said.
The attack shows indications of being the work of a sophisticated actor, the ACSC statement said: “Unfortunately, a malicious actor with sufficient capability, time and resources will almost always be able to compromise an Internet-connected computer network.”