back to article Strewth: Hackers slurp 19 years of Oz student data in uni's second breach within a year

The Australian National University (ANU) today copped to a fresh breach in which intruders gained access to "significant amounts" of data stretching back 19 years. The top-ranked Oz uni said it noticed about a fortnight ago that hackers had got their claws on staff, visitor and student data, including names, addresses, dates …

  1. Blockchain commentard Silver badge

    Too busy looking up to the stars to see the backdoor was left open. Again !!!!

  2. Khaptain Silver badge

    Do they really need all that data together

    "names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed."

    That seems like a lot of data held on the "same" system... Does your Passport and/or Emergency Contact Details really need to be held along side your payroll details ? Something smells very un-GDPR.......

    GDPR reminder : Purpose limitation

    Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose..

    1. Anonymous Coward
      Anonymous Coward

      Re: Do they really need all that data together

      I'm not sure if this was a case of all details being held on a single system - it sounds like the attackers had compromised pretty much every system...

      I'm guessing that the clean up after the first breach missed something, leaving the attackers not only a route back in but likely the ability to watch the attempted fixes.

  3. Tom 7 Silver badge

    That will really come in handy for fraudsters in a few years

    when they finished paying for working in London bars!

    1. Anonymous Coward
      Anonymous Coward

      Re: That will really come in handy for fraudsters in a few years

      The days of Aussies serving beer in London have largely gone. EU staff are cheaper...

      You can still find Aussies drinking other peoples beer though. The tight bastards....next round my arse...

  4. sanmigueelbeer Silver badge
    Joke

    Hey, I got a great idea!

    Hire Huawei and all the hacking shenanigans goes away. Kapish>

  5. Pascal Monett Silver badge
    FAIL

    "we undertook a range of upgrades to our systems to better protect our data"

    Yeah, but that didn't actually work now did it ?

    I don't know what it is you upgraded, and to what you upgraded to, but it seems to me that a redesign of your network is in order.

    Like, putting a firewall between your network and all that juicy data you are hoarding for no good reason. Maybe add a proxy server and another firewall behind that, to ensure that only the proper computers - which have no Internet access - can access that data.

    One more thing : maybe a decade after someone has left your University, you could consider not having that data accessible via the network ? In other words, archive it ?

    1. Anonymous Coward
      Anonymous Coward

      Re: "we undertook a range of upgrades to our systems to better protect our data"

      "One more thing : maybe a decade after someone has left your University, you could consider not having that data accessible via the network ? In other words, archive it ?"

      I wonder if they do keep data back this far.

      Or whether the data was part of test systems.

      Of if the attackers were submitting requests for historical data restores and still not being noticed.

      From the article, I'm not sure which option is more likely.

  6. Sureo
    Facepalm

    So they've gone from not detecting breaches to detecting breaches .... next step is actually preventing breaches?

  7. Christoph Silver badge

    "The vice-chancellor, who chummily signed off as "Brian""

    That's going to cause a little confusion

    Mind if we call you 'Bruce'?

    1. tjbutt

      That would be Brian Schmidt, Nobel prize for physics.

      I'm pretty sure he was making the point that the entire university, including himself, was affected.

      I read the breach announcements, thought they were well done. A little empathy is good to see.

      I also have some empathy for the task of protecting a large university, inherently full of BYOD, from a determined attack. Virtually impossible.

      That large collection of 'toxic data' is troubling, though.

      1. Anonymous Coward
        Anonymous Coward

        "I also have some empathy for the task of protecting a large university, inherently full of BYOD, from a determined attack. Virtually impossible."

        While protecting against every possible attack is, as you say, virtually impossible, being aware of your critical systems and protecting them via best practices should have both limited the impact (if not prevented it entirely) and reduced the time the attackers had to cause mischief.

        This isn't a unique organisation - there are thousands of universities all over the world providing this type of access, and many more organisations providing similar levels of access. While other organisations do get compromised, they rarely get compromised twice in the space of 12 months with the second compromise getting significantly more data.

        If cost is the key issue, requiring higher levels of device control (i.e. ACL's/host-based firewalls to limit access to key systems, and force all other access via SSLVPN from untrusted parts of the network with IDS/IPS/NAC tools to enforce compliance and spot unusual traffic early. All of this can be done with open source tools and a little reading or with off-the-shelf products at a higher cost). From there, start cleaning up the rest of the network to make more of it "safe" - use network scanners to find forgotten servers, update/patch older equipment, set standards that are enforced so that 10+ year old FTP servers sit around unpatched etc.

  8. Mark Exclamation

    Course score for this University:

    Not yet competent.

  9. Aussie Doc
    Facepalm

    That's an awful lot of info in the one spot, isn't it?

    Only the ATO would seem to have more, perhaps?

  10. Anonymous Coward
    Terminator

    Obviously not eating their own dog-food

    Australia National University .. runs a respected computer science program, including a course on offensive cyber operations that's designed to teach students how "to identify and test systems for vulnerabilities without full knowledge or direct access."ref

    A little light on the acutal technical details, any idea as to how the hackers got in, in the firstplace?

  11. Spacedinvader
    WTF?

    Seriously...

    "ANU said it had "been working in partnership with Australian government agencies for several months" to fend off the attack."

    Pull the fucking network cable out!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020