Around 10,000 Deakin University students have been embroiled in a cyber attack after a hacker gained access to the institution’s internal systems and targeted individuals with scam text messages.
In a blog post yesterday, Deakin University said on Sunday 10 July it became aware of the incident which also saw the cyber criminal download the contact details of 46,980 current and past students including their names, student IDs, mobile numbers, Deakin email addresses and even recent unit results.
The texts, sent to 9,997 students, came about after a staff member’s username and password was obtained by a hacker and used to access information held by a third-party provider engaged by Deakin to forward messages prepared by the University to students by SMS.
The students were then sent an SMS, as if from Deakin, with the following text:
According to the university, anyone who clicked on the link was then taken to a form which asked for additional information, including credit card details.
“Immediate action was taken by Deakin to stop any further SMS messages being sent to students and an investigation into the data breach was immediately commenced,” Deakin University said.
“Deakin will report the breach, and be guided by, the Office of the Victorian Information Commissioner (OVIC).
“Deakin continues to investigate the incident and is working with the third-party provider to ensure security protocols are enhanced to prevent any recurrence of this breach.”
Those who received the SMS have been asked by the University to stay vigilant as further spam attempts to access private data may be made.
Further, those who clicked the link in the text message and sent money or shared banking details have been asked to contact their financial institution immediately.
Other actions that can be taken by concerned students include changing passwords and reaching out to the University for tailored assistance.
“Malicious attacks are becoming more common place, and more difficult for individuals to detect, however we must all remain vigilant,” Deakin University said.
“Deakin’s Cyber Security team is committed to protecting the personal information of our entire community.”
The incident comes amid a heightened environment for targeted attacks by cyber criminals, with Australians robbed of more than $2 billion by scammers in 2021.
According to the Australian Competition and Consumer Commission’s (ACCC) latest Targeting Scams report, this record amount stolen was recorded despite government, law enforcement and the private sector disrupting more scam activity than ever before.
Reported losses to all organisations totalled almost $1.8 billion, but as one-third of victims do not report scams the ACCC estimates actual losses were well over $2 billion.
Investment scams were the highest loss category ($701 million) in 2021, followed by payment redirection scams ($227 million), and romance scams ($142 million).
“Scam activity continues to increase, and last year a record number of Australians lost a record amount of money,” ACCC deputy chair Delia Rickard said.
“Scammers are the most opportunistic of all criminals: they pose as charities after a natural disaster, health departments during a pandemic, and love interests every day.”
“The true cost of scams is more than a dollar figure as they also cause serious emotional harm to individuals, families, and businesses.”
Companies that fail to have adequate systems in place to protect consumers from cybersecurity risks are also on notice.
In May this year RI Advice was ordered to repay $750,000 in legal fees to the corporate watchdog after the Federal Court determined the former ANZ (ASX: ANZ) subsidiary breached its license obligations by failing to have adequate systems in place to manage cybersecurity risks.
The judgement was a first in Australian legal history and came after nine cybersecurity incidents occurred at RI Advice authorised representatives' practices between June 2014 and May 2020.
“These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information,” Australian Securities and Investment Commission (ASIC) deputy chair Sarah Court said.
“It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access."
Get our daily business news
Sign up to our free email news updates.