ANU data breach

Up to 200,000 staff and students from the Australian National University have had their personal data stolen in a massive cyber security attack.

In late 2018, a “sophisticated operator” illegally accessed “significant amounts of personal staff, student and visitor data extending back 19 years”, ANU Vice-Chancellor Brian Schmidt wrote in a statement on Tuesday.

Depending on the data provided to the university, the hackers could have staff and students’ names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed, according to Schmidt.

But it’s what hackers could be planning to do with the data that makes this breach so terrifying.

Why the ANU?

Nick Patterson, a senior IT Lecturer at Deakin University, told Crikey that “due to the reputation, ties to government and proximity of the ANU, offshore hackers probably perceive this as a good point to begin as it would yield the most valuable data.”

A number of the ANU’s students also go on to have prestigious careers in law, defence, consulting and federal government, meaning their data may be especially valuable.

While ANU is the subject of this attack, Patterson warns it’s very possible that other Australian universities have also been targeted or hacked without detection.

Could this data end up on the dark web?

It’s likely this data will end up for sale on the dark web for purchasers to create fake identities and credit cards, according to Patterson.

The hackers may release the stolen data to the public without asking for payment “as a show of strength, to provide evidence of their capabilities, or to cause chaos,” Paterson wrote in an article for The Conversation.

But Patterson told Crikey he thinks the hackers here are financially-motivated.

“For the most part, hackers [have] shifted from doing it for fun to now trying to make a profit. So they are looking for anything valuable to put up for ransom or sell off to competitor,” he said.

Selling stolen data on the dark web is not uncommon. At the start of the year, the details of around 617 million accounts were stolen from 16 hacked websites, including popular apps like Dubsmash and MyFitnessPal, and sold on the dark web for less than $20,000 in Bitcoin per data set.

The hackers may instead ask the university to pay them a ransom to erase the stolen data, threatening to publish it online if they refuse, according to Patterson.

The ANU said they have no evidence that research work has been stolen, but Patterson said he “would not be surprised if it had been”.

“They have stolen a vast array of sensitive data already, why would they stop at the most valuable intellectual property such as unpublished research or grant proposals,” he told Crikey. “If this has been stolen, the implications are quite problematic: people’s hard work would be stolen, [there would be] lost potential research and lost potential funding from grant proposals.”

Is China involved?

This isn’t the first time that the ANU has reckoned with a cybersecurity threat.

The university spent several months last year fighting off a data hack with the help of federal government cybersecurity officials. Unnamed national security sources told The Sydney Morning Herald they suspected the Chinese government was behind the attack.

Chinese hackers targeted more than two dozen universities in the United States and around the world in an alleged attempt to access maritime military research, according to a report by cyber security firm iDefence obtained by the Wall Street Journal in March.

The ANU is home to several defence-focused research units, including the Strategic & Defence Studies Centre — the country’s oldest, largest and highest ranking academic institute for strategic research. The university also hosts the National Security College, which trains Australian defence and intelligence officials. Depending on how much information was accessed, the latest hack could compromise Australia’s national security and key defence research projects.

Importantly, no culprits have been identified in this case so far.

Is the ANU to blame here?

Many have been left wondering whether storing 19 years of staff and student data online was really necessary. If not, was the ANU partly to blame for putting so many individuals’ at risk of data theft?

An ANU spokesperson defended the data retention when questioned by Crikey, saying that the university is obliged to retain information in compliance with legislative requirements. Patterson said the university isn’t to blame for storing all this data, as it’s fairly common.

While the ANU probably bolstered their cyber defences to the best of their abilities, Patterson said that it’s hard to fend off elite hackers using “zero-day exploits” (software that is unknown to the public or software vendor, meaning that people have “zero days” to protect themselves against its use).

What the university could have improved, he said, was encrypting the data while it was being backed up, and again once it was stored permanently. That way, it would have been difficult for hackers to read or gain any information from stolen data.

Peter Fray

Don't get mad, get Crikey

As you’ve seen in Amber Schultz’s #MeTooWhere series, and our series on corruption before that, there’s so much work to do before we get any meaningful change.

We’re up to it. Because it’s what we do best.

If you missed our sale last week, you can jump on it now.

Get a year of Crikey for just $99 — usually $199 — when you subscribe with the promo code CORRUPTION.

Hurry! Ends midnight, Friday.

Peter Fray
Editor-in-chief of Crikey