Email Security & Protection , Fraud Management & Cybercrime , Incident & Breach Response
Deakin Uni Students Suffer Smishing Attack, Data Breach
University Say the Cause Was a Hacked Staff Member's Account
A data breach at one of Australia's largest universities means the personally identifiable information of nearly 47,000 current and past students now resides in the hands of an unknown threat actor.
See Also: A Look into the Future of Work with EPM, Identity and Access Controls
Officials at Deakin University in the state of Victoria say they traced the incident's origin to the hacked account of a staff member. The stolen data includes student names, IDs, mobile phone numbers and university email addresses.
Nearly 10,000 students also received fraudulent text messages with a link that asked for credit card information, supposedly to pay customs fees on a package. Victims of the smishing attack, constituting around 15% of the student body, have been notified.
Hackers compromised an employee's logon credentials for the university's third-party SMS solutions provider on Sunday, Deakin says in an online mea culpa. The university says it stopped the attack from reaching a wider number of students, but it is unclear how long the threat actors had access to the third-party system or how they compromised the staff member's logon credentials.
The university says the Office of the Victorian Information Commissioner and a third-party cybersecurity provider are assisting with the investigation. It is also enhancing the security protocols to prevent a recurrence.
Australia's training and education sector is among the most targeted by online threat actors. The Australian Cyber Security Center, a government agency, says the sector ranked fifth on a scale of most reported cybersecurity incidents, albeit a far cry from incidents detected and reported by governmental agencies (see: Australian National University: 19 Years of Data Copied).
Deakin University did not immediately respond to Information Security Media Group's request for comment.
Australia Tightens Grip on SMS Scams
The university's cybersecurity incident roughly coincided with an announcement by the Australian Communications and Media Authority of new rules to protect Australians from scam messages.
Financial losses from SMS scams this year increased 188% compared to the same period in 2021, reaching more than AU$6.5 million. These type of scams accounted for nearly one-third of all reported scams to date this year, based on the Scamwatch statistics kept by the Australian Competition and Consumer Commission.
ACMA chairperson Nerida O’Loughlin says the new rules should improve consumer protections and will help make Australia a tougher target for scammers.
SMS scams can have devastating financial and emotional impacts on victims. "In some circumstances, scammers can take a person's life savings and cause profound ongoing distress," O’Loughlin says. "We shouldn't have to screen messages and adopt workaround behaviors to be able to feel safe and stay connected."
The new rules require telecommunications companies operating in Australia to identify, detect and block text scams and to publish this information to help customers manage and report scams.
