Cyber security expert Professor Matt Warren said the cyber attack against Deakin highlighted the need for heightened security measures.

“The incident highlights … the importance of multi factor authentication to protect individual users, the importance of when dealing with third party providers to ensure that they have a suitable level of cyber security in place (and) the complexity behind the attack,” he said.

Prof Warren, who is the director of RMIT University’s Centre for Cyber Security Research and Innovation, said the attack featured five complicated steps.

He said hackers obtained relevant staff login details, downloaded the contact details of nearly 50,000 students both past and present and sent a prepared text to nearly 10,000 students to make them click on a link which then prompted them to provide credit card details.

The final part of the plan involved collecting personally identifiable information.

“The motivation of the attack is financial as the attackers have sought to obtain information including credit card details that could be used for a number of criminal activities including identity theft,” he said.

“Australian Universities are a target of many types of cyber attacks and the motivation

behind the attacks relate to financial theft, ransomware and theft of intellectual property.

“Australian Universities now find themselves part of the new cyber normal.”

KnowBe4 Australian security awareness advocate Jacqueline Jayne said cyber criminals targeted universities because they held a large amount of data.

“When a system is breached, one of the first things a hacker might do is copy an entire inbox to an offline system which takes seconds,” she said.

“This gives them time to have a look around in case they are discovered and all passwords are changed.”

The attack on Deakin University’s students comes as the Australian Communications and Media Authority (ACMA) registered new rules to help protect Australians against SMS scams.

The new rules will require all telecommunication providers to identify, trace and block SMS scams, while facing penalties of up to $250,000 if they do not comply.

Federal Corangamite MP Libby Coker said the scam impacting Deakin students was a “classic example” of what many Australians have experienced.

“These new rules aim to disrupt scammers’ business models, which will help to protect vulnerable Australians against scammers accessing their bank account, social media and online businesses,” she said.

Ms Coker said it takes scammers an average of seven days from the initial theft to commit multiple identity crimes.

According to ACCC ScamWatch data, financial losses from SMS scams this year to date have more than doubled compared to the same period in 2021 – from around $3.8m to over $9.1m.

Deakin University was unable to provide further information.

Details of 47,000 Deakin students stolen in cyber attack

Deakin University has revealed it was the target of a cyber attack with nearly 10,000 students impacted.

The details of around 47,000 past and present students, including names, phone numbers and academic results, were also stolen in the attack which took place on Sunday, July 10.

In a blog post, a Deakin spokesperson said they became aware of an incident in which a staff member’s username and password was hacked by an unauthorised person to access information held by a third-party provider.

The third-party provider is engaged by Deakin to forward messages to students via SMS on behalf of the university.

Deakin confirmed that the unauthorised person was able to use that information to send a SMS to 9,997 Deakin students while appearing as if it came from the university.

The SMS said: “Your parcel is available, you have to pay customs fees urgently on the link below.”

Those who clicked on the link were taken to a form which asked students for their credit card details.

It is unclear how many students shared this information or made payments.

The spokesperson said: “Deakin sincerely apologises to those impacted by this incident and wants to assure the Deakin community that it is conducting a thorough investigation to prevent a similar incident from occurring again.”

The unauthorised person was able to download the contact details of 46,980 current and past students with that information including each person’s name, student number, mobile number, Deakin email address and special comments such as recent uni results.

Deakin is now working with the Office of the Victorian Information Commissioner (OVIC) and continues to investigate the incident.

“Immediate action was taken by Deakin to stop any further SMS messages being sent to students and an investigation into the data breach was immediately commenced,” the blog stated.

Deakin has urged all students who may have fallen victim to the scam to contact their financial institution immediately and reach out for help by heading to Student Central.

.

More Coverage

Victoria’s biggest prison suffers cyber attack

Mark Buttler

‘We felt we were ok:’: Anglesea drowning details revealed

Georgia Holloway

Originally published as Deakin’s cyber attack highlights a growing problem for universities