Australian National University suffers hack, again (2nd time in a year) with personal information collected over 19 years affected.

June 4, 2019 |

The Australian National University has had a very serious data breach.  Not just that a hacker or hackers breached its data security and accessed personal data, collected over a 19 year period, but that it started late in 2018 and was only detected two weeks ago.  That happens.  Sometimes hackers can remain in a system for years.  That may be a reflection on the sophistication of the attackers but it is more often a reflection on the adequacy of the organisation. 

This is second data breach in less than a year.  That bespeaks a real structural and governance problem with data security.  What also happens when data breaches like this happen is the data handling practices of the organisation come under the spotlight.  And ANU will have, or at least should have, a few questions to answer. Apart from the obvious about poor data practices another question would be “Why does it keep personal information dating back 19 years?” It is one thing if the data relates to a long term study.  Then longevity is not an issue.  But this relates to personal staff student and visitor data.  Why is it necessary to keep visitor data for 19 years? That may be a breach of the Australian Privacy Principles. The other questions worth asking was whether all of this  information was accessible in one place and whether any of the bank account information was encrypted or at least salted. The hackers had access to names, addresses, dates of birth, bank account details and tax file numbers as well as contact details. Half of that material would give any criminal a running start at identity theft.  Of course those questions are not asked often enough in Australia because our Information Commissioner is so weak, timid and ineffective.  

The statement from the Vice Chancellor is typical of the waffle Australian organisations produce after a breach, if a little more waffly.  Unfortunately authors of this sort of dross are never held to account for the lack of candour they display. It provides:

It is with profound regret I inform you we have been victims of a data breach that has affected personal data belonging to our community.  

In late 2018, a sophisticated operator accessed our systems illegally. We detected the breach two weeks ago.  

For the past two weeks, our staff have been working tirelessly to further strengthen our systems against secondary or opportunistic attacks. I’m now able to provide you with the details of what occurred.  

We believe there was unauthorised access to significant amounts of personal staff, student and visitor data extending back 19 years.  

Depending on the information you have provided to the University, this may include names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed.  

The systems that store credit card details, travel information, medical records, police checks, workers’ compensation, vehicle registration numbers, and some performance records have not been affected.  

We have no evidence that research work has been affected. 

That is what we know. We’re working closely with Australian government security agencies and industry security partners to investigate further.  

The University has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion.  

The Chief Information Security Officer will be issuing advice shortly on measures we can all take to better protect our systems and I strongly encourage you all to implement those measures. That advice, frequently asked questions, contact details for support, and more information about the breach is available now via our homepage.   

As you know, this is not the first time we have been targeted. Following the incident reported last year, we undertook a range of upgrades to our systems to better protect our data.  Had it not been for those upgrades, we would not have detected this incident.  

We must always remain vigilant, alert and continue to improve and invest in our IT security.  

The required investment has been a priority of the University and I will keep you informed of the progress we’re making. You will also receive regular updates on information security from the Chief Information Security Officer over coming months.  

I know this will cause distress to many in our community and we have put in place services to provide advice and support.  

We have set up a direct help line 1800 275 268 for anyone seeking more information or with particular personal concerns. This line is staffed by experts and will be confidential. Alternatively, you can email helpline@anu.edu.au 

We have also increased counselling resources available for our community.  

I assure you we are taking this incident extremely seriously and we are doing all we can to improve the digital safety of our community. 

We are all affected by this and it is important we look after one another as our community comes to terms with the impact of this breach

The ANU page set up to provide assistance to those affected by the breach is actually quite good. 

The reporting has been swift and no doubt embarrassing in the Australian, the Guardian, the ABC  and the Canberra Times just for starters.   Most of the coverage is heavily based on the Vice Chancellors statement so not particularly incisive.  The ABC story is more wide ranging and rigorous.  The ABC News site has an interesting article initially posted on the Conversation by Nicholas Paterson titled Personal data stolen from ANU could land on the dark web or worse.  It is in the main quite a good article on what happened and what could happen with the data accessed; it could be ransomed, released to the public with great embarrassment to a lot of people or sold on the dark web.  The article is disappointing in asserting that the ANU had been trying to fighting off threats to systems, possibly by actors in China, but had been unable to do so.  And because zero day exploits make the chances of fending off hackers quite limited.  This assertion should be treated with great scepticism.  Paterson is way off beam.  It makes for good copy though. Unfortunately it plays into the argument run by many organisations when they have a data breach that it wasn’t their fault whereas in fact the breaches were usually, if not invariably, preventable and due to their incompetence.

Zero day exploits are a problem experienced by many if not most organisations.  There are however ways used to defend against Zero Day attacks, including detecting weaknesses before they arise as well as detecting early signs of attacks and countering them.  There are any number of businesses that do just this sort of work.  Far from being the last word on the subject is an interesting blog Defending Against Zero-Day Attacks with AlienVault USM Anywhere, which is as much marketing as it is informative.  Also of interest is How to detect and prevent zero-day attacks

In short it is not helpful to give the impression that nothing really works against a determined attacker.  That is generally not the case.  Businesses in critical industries, particularly holding valuable IP or state security information or just funds are under fairly constant attack but manage to maintain data security.  Non state hackers are generally put off by a determined defence and even state players can be kept at bay.  Even if there is a breach with proper resourcing, penetration testing and, very importantly, security systems to detect breaches the breach can be detected and the damage  mitigated.  It almost always comes down to cost, resources and determination by a breached organisation as to how much damage limitation there is and determining that the threat has been removed.

Just from what the ANU has revealed, which is not much, for a hacker to collect the trove of information held by ANU indicates that there were serious flaws in their security makeup.

The Conversation piece provides:

Today it was revealed the Australian National University fell victim to a cyber security attack two weeks ago.

Stolen was a substantial amount of data dating back 19 years relating to staff, students and visitors.

We don’t know for sure how long the cyber attackers were inside the ANU systems in this case. However, the university revealed details of other attempted attacks last year.

The ABC reported that the types of data stolen were “names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed.”

These are very critical data. Privacy and security are at risk when this sort of information, especially people’s personal and financial details, are hacked.

The question now is what will happen with the stolen data.

There are three likely outcomes:

1. Invitation to pay a ransom

The hackers who stole the data might ask ANU to pay a ransom and they will “erase” the data they stole (or at least say they will). If the ransom is not paid, they will probably release it to the public.

We have seen cases like this before around the world. A recent example involved stolen coding tools.

Another example is an attack on a German IT company, Citycomp, where hackers broke into its systems and stole a lot of critical data. Citycomp was asked to pay a ransom of $5,000 — but did not. The hackers published the data.

2. Free public release of data

The hackers may release the stolen data to the public without asking for any payment. This might happen as a show of strength, to provide evidence of their capabilities, or to cause chaos.

The consequences are still very serious in this case. It could lead to serious breaches of personal privacy, fake identities being created and important intellectual property becoming available to competitors or other hackers.

More broadly, the university may attract fines from the Government if it was later found that correct data protection practices were not followed. That said, there is no evidence this is the case here.

3. Sell for profit on the dark web

The hackers may sell the data on the dark web to make a profit. Others could buy the data to create fake identities and as a result, fake credit cards.

An example where hackers have stolen data involving up to 150 million users and sold it on the dark web involved Under Armour’s MyFitnessPal app.

The entire stolen data set is reportedly available for an asking price of less than $20,000 in bitcoin, around a year after the breach occurred.

Hackers are hard to stop

What makes this ANU case very interesting is that in 2018 The Guardian reported that ANU had spent many months fighting off a threat to its systems. There were unverified reports this might have come from hackers based in China.

This means the ANU has known it was being targeted for a while now, and was still not able to fend off the data breach revealed today.

You might ask why the university hadn’t bolstered its cyber defences in response. The answer is the ANU probably did, to the best of its abilities.

However, when you are dealing with elite hackers and those using “zero day exploits“, it means your chances of preventing a hack are quite limited. Zero day-based exploits focus on vulnerabilities that are not yet known to anti-malware companies or for which no targeted solutions are available, such as patches or updates.

This is still a dangerous situation

There are still aspects of this situation that will present concerns to the ANU and its stakeholders.

For example, it’s possible the hackers could still be in the systems, but hidden.

They may have user names and passwords for student accounts or hidden backdoors the university has not yet discovered.

It could be worse than we know

Another issue is whether the hackers have stolen even more data than is being reported.

It currently appears data not stolen includes “credit card details, travel information, medical records, police checks, workers’ compensation information, vehicle registration numbers, and some performance records”.

ANU vice-chancellor Brian Schmidt has said:

“We have no evidence that research work has been affected. But the university may not yet know for sure. A very concerning aspect for the university will be the potential for intellectual property and unpublished academic works to be accessed. This could be very valuable to sell off online or even to other universities.”

This has happened before: Iranian hackers targeted 76 universities across 14 countries to steal intellectual property from research projects in 2018.

Only time will reveal what happens next. The bad news is that hackers have stolen critical data and it’s in the wind.

The outcomes could be minimal or they could be disastrous, depending on the hackers’ intentions.

A big concern will be if the hackers still have access to the university systems, via an established backdoor, and are siphoning off critical data as it emerges.

What continues to surprise me, but shouldn’t, is the failure of journalists to get beyond the excitement of reporting on a data breach but ask the tough questions as to what caused it and ignore the pat answers the PR firms provide and find out what happened. It is worth doing because in most cases the cause is not the genius of a hacker but the incompetence, sometimes breathtaking in its scope and depth, of an organisation.  And then the journalists should put their microphones under the nose of the Information Commissioner and ask what she is doing about it.  Because the failure of the regulator to, well, er, regulate is a good part of the reason why organisations have such inadequate data security.  Why spend the money when the chances of falling under the gave of the regulator, let alone have action against against one, is at best remote.

Leave a Reply