The Australian National University (ANU) has revealed a massive data breach impacting students, staff and visitors.
It is believed ANU systems were compromised sometime in late 2018, but the university only became aware of the breach on 17 May 2019.
A significant amount of sensitive personal, financial and academic information was exposed in the breach. The compromised database contained information dating back 19 years.
The university is advising anyone who believes their data may be impacted to:
- Create a new password for their ANU account, and on any other accounts where their ANU password may have been re-used.
- Enable multi-factor authentication wherever possible.
Significant amount of data was exposed
ANU has advised student, staff and visitors have had the following types of data exposed in the breach:
Names, addresses, phone numbers, dates of birth, emergency contact details, Tax File Numbers, payroll information, bank account details, student academic records student academic transcripts.
Despite the diverse amount of data exposed and the length it dates back to, an ANU statement said other detailed data, including research data, was not breached.
"Systems that store credit cards, travel arrangements, police history checks, workers' compensation, some performance development records or medical records have not been affected. The alumni database was not breached."
It is not clear who was behind the breach. ANU said the data breach was referred to "Australian government security agencies and industry security partners".
Westpac also hit by data exposure
Almost 100,000 Westpac customers have also been caught up in a data exposure incident involving the new PayID platform, according to reports in Fairfax newspapers.
The PayID platform has been compared to a phone book. Where a user can request to add a contact by entering a phone number and receiving the name of the person associated with the number, if it is registered.
Fairfax obtained an internal Westpac memo revealing the system had been abused by seven compromised accounts on May 22. The accounts made approximately 600,000 requests.
It's believed the incident involves looking up as many phone numbers as possible and seeing if a name is attached. This allows the scammers to create database of known users.