ANU hit by cyberattack breaching 19 years’ worth of personal data

Australian National University (ANU) has detected a breach in which 19 years’ worth of personal staff, student and visitor data has been accessed.

It is believed unauthorised access has been gained to a huge amount of data including names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, passport details as well as student academic records.

The attack by what the university’s Vice-Chancellor Brian Schmidt called a ‘sophisticated operator’ occurred in late 2018 and was detected two weeks ago.

“It is with profound regret I inform you we have been victims of a data breach that has affected personal data belonging to our community,” he wrote in a message to students and staff this morning.

It is understood that systems that store credit card details, travel information, medical records, police checks, workers' compensation, vehicle registration numbers, and some performance records have not been affected.  Nor is there evidence that research work or intellectual property has been affected, Schmidt said.

“The University has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion,” he added. 

The university has set up a direct help line for those with concerns and a dedicated email address. It has also increased counselling resources in the wake of the incident.

The university’s chief information security officer Suthagar Seevaratnam issued guidance to students and staff around passwords, phishing and operating system updates.

“If you have not reset your ANU password since November 2018, it is highly advised that you do so immediately,” Seevaratnam wrote.

The attack comes after hackers based in China infiltrated ANU systems in 2017. When the attack was revealed in July 2018, ANU said it had been working with intelligence agencies for months to minimise the impact of the threat.

“Following the incident reported last year, we undertook a range of upgrades to our systems to better protect our data. Had it not been for those upgrades, we would not have detected this incident,” Schmidt said.