Swinburne University of Technology has confirmed personal information on staff, students, and external parties had inadvertently made its way into the wild.
It said it was advised last month that information of around 5,200 Swinburne staff and 100 Swinburne students was available on the internet.
This data, Swinburne said, was event registration information from multiple events from 2013 onwards. The event registration webpage is no longer available.
The information made available was name, email address, and, in some cases, a contact phone number.
“We took immediate action to investigate and respond to this data breach, including removing the information and conducting an audit across other similar sites,” the university said in a statement on Friday.
“We sincerely apologise to all those impacted by this data breach and for any concerns this has caused.”
Swinburne said it is currently in the process of contacting all individuals whose information was made available to apologise to them and offer appropriate support.
“We are also contacting around 200 other individuals not connected to Swinburne who had registered for the event and whose information was also made available,” it said.
The breach has been reported to the Office of the Australian Information Commissioner (OAIC), the Office of the Victorian Information Commissioner (OVIC), the Tertiary Education Quality and Standards Agency (TESQA), and the Victorian Education Department.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
The higher education sector in Australia could soon find itself considered as systems of national significance, with the government ready to enforce an “enhanced framework to uplift security and resilience” upon universities via the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
The Group of Eight (Go8) — comprising eight Australian universities — believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector and, therefore, does not feel higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.
“The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highly disproportionate to the likely degree and extent of criticality of the sector,” it said in February.
The Go8 comprises the University of Adelaide, the Australian National University, the University of Melbourne, Monash University, UNSW Sydney, the University of Queensland, the University of Sydney, and the University of Western Australia.
Swinburne made its own views available to the committee probing the Bill, in February saying that the cost of positive security obligations and enhanced cybersecurity measures for assets deemed to be systems of national significance would be difficult for universities to absorb, given the current funding situation and decrease in income from international student enrolments.
“Therefore, the Commonwealth must ensure that universities are adequately funded to meet their responsibility of providing quality education and respond to these new security requirements,” it wrote [PDF].
“While security from foreign interference is of paramount importance, equally important is the economic security provided by having a robust tertiary sector. We recommend that the government work closely with the sector to ensure that the legislation has minimal impact on essential university operations.”
The Australian National University (ANU) in late 2018 suffered a massive data breach that was discovered in May 2019, and revealed two weeks later in June.
The hackers gained access to up to 19 years’ worth of data in the system that houses the university’s human resources, financial management, student administration, and “enterprise e-forms systems”.
Then there was Melbourne’s RMIT University, which in February responded to reports it fell victim to a phishing attack, saying progress was slowly being made in restoring its systems.
At a recent Parliamentary Joint Committee on Intelligence and Security (PJCIS) hearing on the national security risks affecting the Australian higher education and research sector, discussions around the two security incidents were used by Home Affairs representatives to justify the inclusion of higher education and research in the Critical Infrastructure Bill.
AUSTRALIA ALSO BLAMES RUSSIA FOR SOLARWINDS HACK
Elsewhere, the Australian government has joined international partners in holding Russia to account for its cyber campaign against US software firm, SolarWinds.
Hackers working for the Russian foreign intelligence service are behind the SolarWinds attack, cyber espionage campaigns targeting COVID-19 research facilities, and more, according to the United States and the United Kingdom.
The US accusation comes in a joint advisory by the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation, which also describes ongoing Russian Foreign Intelligence Service exploitation of five publicly known vulnerabilities in VPN services.
The UK has also attributed the attacks to the Russian intelligence service.
“In consultation with our partners, the Australian government has determined that Russian state actors are actively exploiting SolarWinds and its supply chains,” a statement from Minister for Foreign Affairs Marise Payne, Minister for Defence Peter Dutton, and Minister for Home Affairs Karen Andrews said.
“Over the past 12 months, Australia has witnessed Russia use malicious activity to undermine international stability, security, and public safety. Australia condemns such behaviour.”
The supply chain attacks targeting IT management software company SolarWinds represented one of the biggest cybersecurity incidents in recent years, with hackers gaining access to the networks of tens of thousands of organisations around the world, including several US government agencies, as well as cybersecurity companies.
“Russia’s campaign has affected thousands of computer systems worldwide. Australia acknowledges the high costs borne by the US private sector,” Australia’s statement continued.
Updated 16 April 2021 at 3:20pm AEST: Added Australian attribution of SolarWinds breach to Russia.