Universities Hit By Data Breaches

Summary —

In the past month the Australian National University (ANU) and Australian Catholic University have been hit by data breaches affecting more than 200,000 people. It’s in this environment that providers across the independent tertiary education system are reviewing their data protection protocols.

Key Issues —

Advice of a major data breach that occurred in late 2018 was released by ANU in early June 2019, some two weeks after it was discovered. The university said that there was unauthorised access to significant amounts of personal staff, student and visitor data extending back nineteen years.

Depending on the information provided to ANU, the data accessed may have included names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed.

Upon identifying that the data breach had occurred, ANU set about working to further strengthen our systems against secondary or opportunistic attacks.

Some two weeks after ANU released public information concerning its unfortunate data breach ACU said that a data breach was discovered on 22 May 2019 and a number of staff email accounts and some University systems had been compromised.

The data breach at ANU originated from a phishing attack: an email pretending to be from ACU tricking users into clicking on a link or opening an attachment and then entering credentials into a fake ACU login page. In a very small number of cases, staff login credentials were obtained successfully via the phishing email and were used to access the email accounts, calendars and bank account details of affected staff members.

These two attacks have highlighted the importance of the tertiary education system being vigilant and proactively working to protect student and staff records. It’s a topical issue and one being considered at the ITEC19 conference to be held over 21-23 August 2019 on the Gold Coast. For conference information visit:


At the ITEC19 Conference Mr Damien Manuel, Chair of the Australian Information Security Association, will make a presentation entitled ‘Cyber Threats To Student Data Security.’ Precipitously, this presentation was planned before news of the unfortunate data breaches at ANU and ACU was made public.

Mr Manuel’s presentation will highlight the fact that independent tertiary education providers store a great deal of information about their students and it’s not possible to assume this is safe from cyber criminals. In this thought-provoking presentation lean about how student databases and other sources such as email may be subject to theft and what your business can to protect itself, and your students.

In light of the cyber attacks at ANU and ACU that saw the data breaches occur, ITECA advises all independent tertiary education providers to review their data security arrangements.

Member Engagement:

ITECA’s ability to play a lead role in matters associated with this issue rests on the advice and guidance of individuals belonging to the ITECA Higher Education Sector Interest Group.

Further Information:

For more information on this issue please send an email to policy@iteca.edu.au or telephone 1300 421 017.  Stay up to date via Twitter @ITECAust or via Facebook at www.facebook.com/ITECAust.


Leave a Reply

Your email address will not be published. Required fields are marked *