The personal information of 46,980 Deakin University students have been stolen in a data breach, of which almost 10,000 of which received an SMS scam message shortly after.
The breach, which was first discovered by Deakin University on July 10, began when an attacker used a staff member's username and password to access student information via one of Deakin's third party providers.
The attacker went on to use the information of 9,997 Deakin students in an SMS phishing campaign, with victims prompted to make payment for a fraudulent postal delivery.
Recipients that opened the links in the SMS were led to a page that requested not only personal details, but credit card information as well.
Any students that followed the malicious link's requests are now susceptible to attacks such as identity theft and payment fraud.
Universities under fire
Education is repeatedly one of the top five industries that reports falling victim to data breaches, according to the Office of the Victorian Information Commissioner’s (OVIC) Notifiable Data Breaches Report.
Professor Matt Warren, Director of the RMIT University Centre for Cyber Security Research and Innovation, said the motivation for the attack was financial, “as the attackers have sought to obtain personally identifiable information including credit card details that could be used for a number of criminal activities including identity theft.”
"Australian universities are a target of many types of cyberattacks, and the motivation behind these attacks relate to financial theft, ransomware and theft of intellectual property," he added.
Organisations with a large number of employees, such as universities, are often left with a higher risk of human error.
Furthermore, universities such as Deakin hold sensitive and highly valuable data pertaining to their students, attracting more attention from cyber criminals.
And given that it only takes one employee falling for a scam and losing their login credentials for an entire system to be compromised, it's no surprise that educational organisations are under frequent attack.
"The recently reported cyberattack against Deakin University shows that no Australian organisation is immune to cyberattacks, whether they are big or small," Warren said.
In a public statement issued on 14 July, Deakin stated it "sincerely apologised to those impacted", and assured victims that they are conducting a thorough investigation into the attack.
Deakin explained that the attack impacts both former and current students.
It also shared that the personal information stolen includes full names, mobile numbers, email addresses, and sensitive details pertaining to recent unit results.
While the full details of the breach have not been revealed, Deakin's statement contains no mention of multi-factor authentication (MFA).
MFA involves the use of additional information (typically a unique and temporary access code) when logging into a system, and is said by Microsoft to prevent 99.9 per cent of account compromise attacks.
By utilising simple MFA, the attacker would have needed to break through an additional barrier of entry after acquiring the staff member’s username and password, which may have halted the attack.
Another critical factor in this breach is that the attack occurred within a third-party vendor's systems, rather than Deakin's systems directly.
Deakin University had reportedly engaged the unnamed third-party provider for the purpose of forwarding text messages to their students.
When engaging a third party vendor, it is crucial to understand both their level of security and the amount of risk inherited by letting them handle shared data, one expert said.
"The rise of cyberattacks on Australia’s education industry highlights just how important it is for organisations to have tight control over their data" says Scott Leach, VP at software security company Varonis Asia-Pacific.
"This means knowing exactly who has access to what, and which data presents the highest risk if it were to be exposed."
Unfortunately, organisations often lose visibility and control of their data the moment it enters a third-party platform.
If the attack occurred within Deakin University's own systems rather than a third party's, security measures such as MFA, geographical login restrictions, or even a simple system notification of the attempted download may have been enough to prevent the eventual breach.
Deakin is currently working with OVIC and the related third-party vendor to both report the breach and bulk up on its security practices moving forward.