Queensland University of Technology suffers data breach involving 11,405 people
February 7, 2023 |
Educational institutions are prime targets for cyber attacks by state actors and criminals. I have previously written on cyber attacks on tertiary institutions at UWA, University of Tasmania, Deakin University, the ANU in 2019 and 2022. There have been many other data breaches of educational institutions in the United States and Europe. Tertiary institutions are prime targets because they store so much personal information and intellectual property. They are especially tempting targets because tertiary institutions have poor cyber security. The reasons are many and varied; systems cobbled together when institutions merge, too many authorisations, a failure to remove authorisations, differing protocols in different departments, a failure to encrypt data, a failure to properly silo data and, most importantly, indifferent training and inadequate funding. Even though the attacks are regular and impact severe educational institutions remain poorly prepared.
I Having proper data security means dealing with both technical issues but also cultural problems. For too long businesses have not properly factored in the risks. Boards and management don’t address the issues and don’t properly consider what cybersecurity risks are, and what needs to be done to protect themselves from them. That includes promoting and developing a culture of cyber resilience.
In practical terms that includes:
- doing an inventory of every computer system that exists across the organisation to determine if it is being properly patched, whether there is proper user access and multi factor authentication.
- reviewing the type of data being held, determining where it is stored, how it is being protected and who has access to it. That exercise will expose vulnerabilities.
- making sure there are back ups of data which are stored in a way that any data breach can’t affect that storage.
- check whether the organisation is complying with the NIST framework. It is not officially the standard but is as good as it gets It also adopts useful strategies when dealing with soft defence, passive defence and active defence.
- undertaking audits and penetration testing by outside organisations. There is no substitute for testing.
- having a data breach response plan and have exercises to determine that it works. That means knowing who to contact when there is a data breach.
The Queensland University of Technology is the latest institutions to suffer a data breach. It announced yesterday that the data breach affected 2492 current employees, 17 current students, 8,846 former employees and 50 former students. The data relating to individuals included tax file numbers and bank account details . In January it had issued a vaguer report of the data breach which it identified as a ransomware attack.
The statement provides:
QUT has identified that some data was stolen in a cybercrime attack on December 22, 2022.
Firstly, QUT is disappointed and sorry that this cybercrime has potentially impacted on our staff and former staff. It is important to note the security of our HR, student or financial systems was not compromised or accessed by the cyber criminals. We also have no evidence to date of any further illegal activity in relation to the data that may have been accessed by the cyber criminals.
After detailed forensic analysis we did establish late last month that the cybercriminals managed to access a number of files on an internal storage drive, some of which included personal information of current and former employees and students.
What are the numbers impacted?
11,405 in total, 2492 current employees, 17 current students, 8,846 former employees, 50 former students were impacted. The information accessed included bank account numbers and in some cases tax file numbers. Of the total of 11,405, tax file numbers were impacted for 3820 individuals.
What has QUT done?
The first phase of the response involved adding security measures including all students and staff resetting passwords, introduction of additional verification steps for those working and studying remotely, and careful restoration of affected systems after eliminating the offending ransomware. We have also implemented additional expert monitoring and validation mechanisms. At every stage of our response we have been in regular communication with staff and students and all relevant Queensland and Federal authorities.
For those individuals impacted by the data breach, we have notified the individuals by via email or mail, provided access to identity protection services, and counselling from experts and a dedicated staff help line. All current and former staff and students have received their notifications and more than 1,300 people have contacted QUT. If former staff are concerned, they may contact the cyber hotline on 07 3138 1940 or email cyberincident@qut.edu.au.
The QUT statement is quite rudimentary. It begs as many questions as it answers. That can be problematic if the breach attracts real rather than cursory media attention. In Australia notices of this nature are quite recent whereas in the United States notifications have been quite the norm for many years. As a result there is more sophistication and detail provided in statements issued by American institutions. The Optus and Medibank data breaches show that privacy professionals in Australia have a long way to go in managing data breaches. The initial responses in both cases were poorly drafted, evasive and obviously incomplete. It took some time and many releases to provide proper explanations, all the while those businesses were excorciated in the media and by public figures . There is a skill to drafting these statements.
Tbe data breacn has been reported in itnews and the ABC. The itnews report provides:
Extent of Royal attack revealed.
QUT said 11,405 individuals had their data breached in a December cyber attack, higher than initial estimates of around 2500 individuals.
In a revised statement, the university said the breach affected 2492 current staff and 8846 former staff.
It also impacted a small number of students – 17 current students, and 50 former students.
Data that may have been breached included bank account numbers, and for 3820 individuals, their tax file numbers.
Those affected are being contacted so that the university can provide them with ID protection services, expert counselling, and there’s a dedicated staff help line.
The university said all those affected have now been contacted.
According to the ABC, the cause is a ransomware attack. The university has linked the attack to the Royal ransomware variant.
The attack led QUT to take its Blackboard teaching system offline, along with various staff systems including its Cisco-based remote access network, network storage, and printers.
“The first phase of the response involved adding security measures including all students and staff resetting passwords, introduction of additional verification steps for those working and studying remotely, and careful restoration of affected systems after eliminating the offending ransomware,” the university said.
“We have also implemented additional expert monitoring and validation mechanisms.
“At every stage of our response we have been in regular communication with staff and students and all relevant Queensland and federal authorities.”