VENDORiQ: Deakin University Suffers from Data Breach and Smishing Attack
2 August 2022: Deakin University announced a data breach and exposed personally identifiable information (PII), which includes names, mobile numbers and email addresses of almost 47,000 current and past students after tracing an intrusion from a hacked account of one of the institution’s staff members. Following this breach, almost 10,000 students also received spam text messages that asked for their credit card information to process customs fees on a package. This type of mobile spear phishing attack is known as ‘smishing’. The university, however, has claimed that it has already put an end to the attack from reaching more students and alumni.
Why it’s Important
The Australian Cyber Security Centre’s ACSC Annual Cyber Threat Report revealed that the education and training sector is among the top areas that have experienced cyber security incidents in 2020-2021. Some of the most notable data breaches in recent years include:
- Australian National University’s spear phishing attack that stole sensitive information dating as far as 19 years from more than 200,000 students in 2019.
- In 2021 Swinburne University of Technology confirmed that personal information of its 5,200 staff and 100 students were exposed after hackers infiltrated an event registration information webpage of the university.
- More than 50,000 Australian students who have installed the Get app (formerly known as Qnect) that facilitates payments, have exposed their personal information after a Reddit user discovered their names, email addresses, birthdates and Facebook IDs online.
Deakin University’s case is a lesson on ensuring that a cyber security response plan is constantly reviewed to generate a quick, comprehensive response at the enterprise level with a sense of urgency. It should also reflect accountability and promote clear communication to their stakeholders. While cyber incidents never evolve according to plan, having no plan creates additional duress for decision makers in the organisation, possibly lowering the quality of their decision making.
- Security teams
- IT teams
- Begin a campaign to educate all staff on the importance of data protection to the organisation.
- Conduct a post-implementation review of your incident response plan (IRP) as soon as possible while the memories of what worked and what can be done better are in the minds of all participants.