Security incident last year saw student and staff information stolen

The Australian National University (ANU) has announced that a security breach last year exposed the personally identifiable information of staff and students dating back 19 years.

University officials confirmed the incident today, revealing that the breach took place in late 2018, but was only discovered on May 17, 2019.

Evidence points to a “sophisticated operator” who accessed the systems illegally and took sensitive data from as far back as the year 2000.

This data could include the name, address, date of birth, email address, tax numbers, payroll information, bank account details, and passport information of victims, ANU said.

Credit card details, medical records, criminal record check data, vehicle registration numbers, and performance records were not accessed.

ANU vice chancellor Brian Schmidt said in a statement: “That is what we know. We’re working closely with Australian government security agencies and industry security partners to investigate further.

“The university has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion.”

Digging deeper

The university, based in Canberra, was the victim of a separate security incident in July last year.

At the time, university staff said that no staff, student, or research data had been taken.

The institution said it had taken steps to upgrade its security measures, which led to the discovery of the late-2018 attack.

Schmidt added today: “As you know, this is not the first time we have been targeted. Following the incident reported last year, we undertook a range of upgrades to our systems to better protect our data.

“Had it not been for those upgrades, we would not have detected this incident.

“We must always remain vigilant, alert and continue to improve and invest in our IT security.”

An FAQ page for victims is available on the ANU website, advising them to change passwords regularly and keep an eye out for any suspicious activity.

The university’s chief information security officer, Suthagar Seevarantnam, echoed this advice, warning victims to be aware of phishing emails and to ensure all devices are updated regularly.

Victims can also speak to ANU security staff on +61 02 6125 2249.

Nationwide notifications

Organizations in Australia are now legally obliged to notify individuals whose personal information is involved in a data breach, following last year’s introduction of the Notifiable Data Breaches (NDB) scheme.

But some argue that the law doesn’t go far enough, and that the lines between which firms can and cannot be held accountable are blurred.

The scheme only applies to Australian businesses, government agencies, and non-profit organizations that have an annual turnover of A$3 million or more.

There is a one-month reporting timeline in the result of a breach, and penalties will only be handed out if the incident is likely to cause “serious harm”.

Key criticisms include that the legislation doesn’t actually define ‘serious harm’, igniting calls for a lower threshold to be enforced.

Patrick Fair, partner at law firm Baker & McKenzie, told The Daily Swig at the time that he expected more guidance around the meaning of serious harm to emerge over time.

He did add, on the one-year anniversary, that everybody has “sharpened up” when it comes to complying with the scheme – though doubts still remain over what constitutes as causing harm.


RELATED ‘Everybody has sharpened up’ – Australia’s breach notification law, one year on