Today it was revealed the Australian National University (ANU) fell victim to a cyber security attack two weeks ago. Stolen was a substantial amount of data dating back 19 years relating to staff, students and visitors.
We don’t know for sure how long the cyber attackers were inside the ANU systems in this case. However, the university revealed details of other attempted attacks last year.
The ABC reported that the types of data stolen were “names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed.”
These are very critical data. Privacy and security are at risk when this sort of information, especially people’s personal and financial details, are hacked.
The question now is what will happen with the stolen data.
There are three likely outcomes:
1. Invitation to pay a ransom
The hackers who stole the data might ask ANU to pay a ransom and they will “erase” the data they stole (or at least say they will). If the ransom is not paid, they will probably release it to the public.
We have seen cases like this before around the world. A recent example involved stolen coding tools.
Another example is an attack on a German IT company, Citycomp, where hackers broke into its systems and stole a lot of critical data. Citycomp was asked to pay a ransom of $5,000 – but did not. The hackers published the data.
2. Free public release of data
The hackers may release the stolen data to the public without asking for any payment. This might happen as a show of strength, to provide evidence of their capabilities, or to cause chaos.
The consequences are still very serious in this case. It could lead to serious breaches of personal privacy, fake identities being created and important intellectual property becoming available to competitors or other hackers.
More broadly, the university may attract fines from the government if it was later found that correct data protection practices were not followed. That said, there is no evidence this is the case here.
3. Sell for profit on the dark web
The hackers may sell the data on the dark web to make a profit. Others could buy the data to create fake identities and as a result fake credit cards.
An example where hackers have stolen data involving up to 150 million users and sold it on the dark web involved Under Armour’s MyFitnessPal app.
The entire stolen data set is reportedly available for an asking price of less than $20,000 in bitcoin – around one year after the breach occurred.
Hackers are hard to stop
What makes this ANU case very interesting is that in 2018 The Guardian reported that ANU had spent many months fighting off a threat to its systems. There were unverified reports this might have come from hackers based in China.
This means the ANU has known it was being targeted for a while now, and was still not able to fend off the data breach revealed today.
You might ask why the university hadn’t bolstered its cyber defences in response. The answer is the ANU probably did, to the best of its abilities.
However, when you are dealing with elite hackers and those using “zero day exploits”, it means your chances of preventing a hack are quite limited. Zero day-based exploits focus on vulnerabilities that are not yet known to anti-malware companies or for which no targeted solutions are available, such as patches or updates.
This is still a dangerous situation
There are still aspects of this situation that will present concerns to the ANU and its stakeholders.
For example, it’s possible the hackers could still be in the systems, but hidden. They may have user names and passwords for student accounts or hidden backdoors the university has not yet discovered.
It could be worse than we know
Another issue is whether the hackers have stolen even more data than is being reported.
It currently appears data not stolen includes “credit card details, travel information, medical records, police checks, workers’ compensation information, vehicle registration numbers, and some performance records”.
ANU vice-chancellor Brian Schmidt has said: “We have no evidence that research work has been affected. But the university may not yet know for sure. A very concerning aspect for the university will be the potential for intellectual property and unpublished academic works to be accessed. This could be very valuable to sell off online or even to other universities.”
This has happened before: Iranian hackers targeted 76 universities across 14 countries to steal intellectual property from research projects in 2018.
Only time will reveal what happens next. The bad news is that hackers have stolen critical data and it’s in the wind. The outcomes could be minimal or they could be disastrous, depending on the hackers’ intentions.
A big concern will be if the hackers still have access to the university systems, via an established backdoor, and are siphoning off critical data as it emerges.
Authors: Nicholas Patterson, Lecturer, Deakin University