By Staff Writer.
Victoria’s Deakin University was the subject of a cyberattack. Hackers used a staff member’s username and password to access student contact data and mass spam almost 10,000 students over the weekend via SMS.
Deakin confirmed the cyberattack on Tuesday, saying they became aware of the SMS incident on the weekend. The university says a staff member’s credentials were hacked and used to access student contact information held by an unnamed third-party provider.
Deakin contracts that third-party company to send bona fide text messages to students. However, over the weekend, the SMS sent to 9,997 students purported to be from courier company Aramex and asked the recipients to click on a link to pay customs fees.
“Deakin sincerely apologises to those impacted by this incident and wants to assure the Deakin community that it is conducting a thorough investigation to prevent a similar incident from occurring again,” the university said in a statement.
Online commentators have noted the irony of a university that offers cybersecurity degrees being a cyber-target.
In addition to the mass spamming incident, Deakin confirms the cyberattack allowed the hackers to download the contact details of 46,980 current and past Deakin students. Those contact details included the student’s name, their student ID, mobile number, Deakin email address, special comments, and recent results.
“Immediate action was taken by Deakin to stop any further SMS messages being sent to students, and an investigation into the data breach was immediately commenced,” Deakin’s statement adds.
The cyberattack closely follows the release of an Office of the Victorian Information Commissioner (OVIC) report on the security of personal information held by Victoria’s universities.
The report confirms that Victoria’s universities are increasingly subject to cybersecurity attacks. Last year, a cyberattack at rival Victorian university RMIT caused the suspension of new student enrolments there and temporarily halted the processing of staff payroll.
The OVIC report found that Victoria’s universities had three common cybersecurity vulnerabilities. Those vulnerabilities included universities inadequately managing risks to personal information involving physical and personnel security; not having clear policies and procedures to guide staff to destroy personal information when it is no longer needed; and not having written guidance about sharing personal information with third parties.
Deakin University say it has reported last week’s cyberattack to the OVIC. The university says it continues to investigate the incident and is working with the third-party provider to ensure security protocols are enhanced to prevent any recurrence.
The OVIC says all Victorian universities, including Deakin, have prioritised ICT and cyber security risks. That includes training staff on cybersecurity issues, conducting Privacy Impact Assessments for new projects involving personal information, and having a data breach response plan.
The privacy watchdog also notes that universities are complex organisations with many different but interlinked businesses.
“It can be challenging for a university to implement effective data governance, especially where the business units operate separately,” says the OVIC report.