Deakin University hit by cyber attack resulting in theft of details of 46,980 current and former students.

July 13, 2022 |

Deakin University has been hit with a cyber attack on 10 July affecting 47,000 current and past students.  Yesterday it released a statement under the heading Deakin has been targeted in a cyber attack this week – here’s what happened and what you should do which provides:

Deakin University was recently targeted in a data security breach earlier this week. Deakin sincerely apologises to those impacted by this incident and wants to assure the Deakin community that it is conducting a thorough investigation to prevent a similar incident from occurring again.

What happened?

On Sunday 10 July, Deakin University became aware of an incident in which a staff member’s username and password was hacked and used by an unauthorised person to access information held by a third-party provider.

This third-party has been engaged by Deakin to forward messages prepared by the University to students via SMS. The information accessed by the unauthorised person was then used to send an SMS, as if from Deakin, to 9,997 Deakin students with the following text:

Screenshot of SMS scam

Anyone who clicked on the link was taken to a form which asked for additional information including credit card details.

In addition to sending the SMS, the unauthorised person downloaded the contact details of 46,980 current and past Deakin students.

The contact details included student name, student ID, student mobile number, Deakin email address and special comments. The special comments included recent unit results. 

Immediate action was taken by Deakin to stop any further SMS messages being sent to students and an investigation into the data breach was immediately commenced.

What is Deakin doing now?

Deakin will report the breach, and be guided by, the Office of the Victorian Information Commissioner (OVIC).

Deakin continues to investigate the incident and is working with the third-party provider to ensure security protocols are enhanced to prevent any recurrence of this breach.

What do I do now?

If you received this SMS message or have been contacted by Deakin to advise you are part of this breach, please read the following information.

    • Stay vigilant. You may receive further spam attempts to get your private data or access to your devices. 
    • If you’re worried, contact your financial institution. If you have clicked the link and sent money, shared your banking details or are concerned your banking details may have been subsequently breached, contact your financial institution immediately.
    • Reach out for help. Deakin will support any students who may have fallen victim to this incident. Please contact Student Central to discuss your individual situation so that we can offer specific support and referral services.
    • Change your password. Instructions for changing your Deakin password can be found in Username and Password support.

Malicious attacks are becoming more common place, and more difficult for individuals to detect, however we must all remain vigilant. Deakin’s Cyber Security team is committed to protecting the personal information of our entire community.

How to stay safe online

    • Always think before you click. Hover over links (or tap and hold on mobile devices) before you click on them to make sure they’re going to take you to a legitimate site.
    • Be wary of unsolicited contact. If you are contacted by a company or person unexpectedly, requesting information not normally requested, report or delete these messages.
    • Use the Phish Alert button. Report any suspicious emails to Digital Services so that they can assess the material and take the necessary steps to protect you and Deakin.

We will continue to take an educative and proactive approach to cyber security and continue to strengthen our systems to prevent future incidents. 

How Deakin communicates with students

As per Deakin’s student communication and policy and procedure, the means for communicating with current students are:

    • Student emails will be the primary form of contact where we need to communicate administrative, enrolment and student service/support information.
    • Phone calls and/or emails will be used to provide information to current students who have been individually and/or specifically identified as belonging to a targeted initiative (e.g. Student newsletter, Orientation, Priority Student Program).
    • the University’s approved online student portal (DeakinSync with its embedded information channels and communication functionality).
    • Text messages to mobile devices will be used for engagement with current students where a student opts in to this service and to communicate critical or emergency information.
    • Postal mail will be used to send information to current and prospective students where required by legislation or to send physical items.

Where to get more information or support

You can contact Student Central in the first instance with any questions or concerns, and we encourage you to visit Deakin’s Cybersecurity blog for more information. DUSA’s financial counselling service may also be able to help you.

The following external websites provide helpful resources and information about scams, including advice on what you should do if you suspect you have been scammed or you’re in need of financial assistance.   

It is not a bad opening statement.

In this case the data was held by a third party provider. That is an increasingly common occurrence.  The hacker obtained access via a valid staff member’s username and password.  It will be interesting to see if that staff member’s account or computer was hacked.  It will also be interesting to see what the authorisations were.  There is a legitimate question as to why a staff member would have authority to access records of such a diverse group of individuals, current and past students.  The hacker had access to the phone numbers of at least 9,997 students which were the subject of a scam text.  The third party provider may also face some awkward questions about what level of protection it had to detect suspicious activity and prevent the exfiltration of the data.  Was the data encrypted.  In the United States and the United Kingdom the regulators would be asking these and more difficult questions.  As this institution is regulated by the Victorian state legislation the regulator is the Office of the Victorian Information Commissioner. The powers of that regulator are extremely circumscribed.

The Age has reported on the breach, mainly lifting large parts of Deakin’s statement and adding in some statistics of cyber attacks last year and RMIT’s data breach woes then as well.  It provides:

A cyberattack at a Victorian university has compromised the contact details of nearly 47,000 current and past students as well as some of their recent results.

The incident at Deakin University follows a hacker accessing a staff member’s username and password and information held by a third-party provider.

The university said in a statement it became aware of the incident on Sunday, and that it had used the third-party provider in the past to send text messages to students.

The breach led to a text message sent to 9997 students claiming they had a parcel available and requesting a payment for a customs fee.

The hacker downloaded the contact details of 46,980 current and former Deakin students, accessing names, student IDs, mobile numbers, email addresses and comments which included recent unit results.

“Immediate action was taken by Deakin to stop any further SMS messages being sent to students and an investigation into the data breach was immediately commenced,” the university said in its statement.

The university says it is continuing to investigate the incident, has engaged with the Office of the Victorian Information Commissioner (OVIC) and is working with the third-party provider to improve cybersecurity.

The most recent OVIC annual report shows the office received 159 data breach notifications in 2020-21, a 66 per cent increase.

A cyberattack at RMIT forced the university to suspend new enrolments and some classes at the beginning of the 2021 school year, and defer a returned planned to campus for academic staff.

Leave a Reply

Verified by MonsterInsights