ACU systems compromised and details stolen after cyber breach

ACU, Melbourne

The Australian Catholic University has been hit by a cyber attack resulting in a number of systems being compromised and the theft of personal data.

The public institution discovered the breach on 22 May, which originated from an email phishing campaign by an unknown source.

According to ACU acting vice-chancellor Dr Stephen Weller, an email pretending to be from ACU tricked users into clicking on a link or opening an attachment and then entering their credentials into a fake ACU login page.

As a result, a small number of staff login credentials were obtained via the phishing email and subsequently used to access email accounts, calendars and bank account details of the affected members.

Weller said ACU had notified the affected people and reset the passwords of breached accounts.

The university has also alerted its bank to the potential for fraud-related activity and notified the Tertiary Education Quality and Standards Agency (TEQSA), Office of the Australian Information Commissioner (OAIC), and the Australian Cybercrime Online Reporting Network (ACORN).

“The university deeply regrets that this data breach has occurred,” Weller said. “ACU’s top priority is to protect the data and information of our staff and students. We take very seriously our responsibilities to manage the security of data and the security of our IT systems.”

Weller also reminded its staff and students to avoid opening links or attachments from unknown senders, be aware of phishing emails and telephone calls with personal detail requests and to review and update their passwords regularly.

The institution, which has seven campuses across Australia, plus one in Rome, urged staff and students not to use their university passwords for a personal account.

“We recognise the importance of cyber security awareness for students and staff and are reviewing ACU’s cyber security awareness programs,” Weller added.

The attack on ACU follows a major cyber breach at the Australian National University (ANU), which resulted in 19 years’ worth of personal staff, student and visitor data being accessed.

The attack by what the university’s vice-chancellor Brian Schmidt called a ‘sophisticated operator’ occurred in late 2018 and was detected also around the end of May.