A 34-year-old man has been charged in connection with “highly complex” breach

Data Protection and a Security Center Network 3D Render

UPDATED A higher education institution in Victoria, Australia, has disclosed a data breach impacting the personal data of around 90,000 staff, students, and suppliers.

In a security alert issued yesterday (March 11), Melbourne Polytechnic said Victoria Police had notified them that an individual who attended the campus in late 2018 had “obtained unauthorised access to Melbourne Polytechnic’s computer systems by hard logging onto the network; overcoming security measures”.

The technical and further education institution (TFE) said that around 55,000 files were accessed, comprising personal data – including email addresses, passwords, and financial and health information – that was held in some of its IT systems between September and December 2018.

Victoria Police told The Daily Swig that detectives had “charged a man following an investigation into an alleged data breach”.

A second, unidentified educational institution also appears to have been targeted, since the police added that “it is alleged the man gained unauthorised access to data from two higher education institutions between August and December 2018”.

The suspect, 34, “was also in possession of other unauthorised data”.

Compromised files

A spokesperson for Melbourne Polytechnic, which accommodates more than 50,000 students, told The Daily Swig that 90,000 individuals had been impacted, more than half of whom had at least one piece of personal information accessed during the breach.

The institution said for “the vast majority” of victims only Melbourne Polytechnic usernames, passwords, and email addresses were exposed.

However, it admitted it was possible that “any information held in those Melbourne Polytechnic accounts at that time was exposed”.

It added that “for a smaller number of people, financial information such as banking and credit card details, passport and drivers licence numbers and some confidential health details may have been accessed.”

The TFE said it had conducted an investigation after receiving the compromised files from the police in late October 2019.

This month it has sent letters to the affected individuals itemizing which of their personal data types had been accessed.

The letters also included recommendations from IDCARE, Australia’s cybersecurity support service, on how victims can protect themselves.

Melbourne Polytechnic has additionally established a call centre to field queries from affected individuals.

Security improvements

In a statement, Melbourne Polytechnic CEO Frances Coppolillo offered “sincere apologies” to the breach victims.

“In response to this incident, we have completed an independent review of our cybersecurity procedures and are implementing a range of improvements including software and hardware upgrades to better protect our IT systems,” she said.

“This data breach was highly complex in nature and it has taken many months to fully understand its scale and impact.”

Educational institutions are an increasingly popular target for cyber-attacks. In February, Maastricht University in the Netherlands admitted to paying a $220,000 ransom following a crippling ransomware attack, while Australian Catholic University (ACU) and Australian National University (ANU) both fell prey to data breaches in 2019.

This story has been updated in light of new information provided by Melbourne Polytechnic.

RELATED Phishing attack: US insurance company reports data security incident