Incident report on the breach of the Australian National University’s administrative systems

Vice-Chancellor’s Foreword

In June 2019, I notified our community we had been the victims of a cyber attack.

In the wake of that announcement I committed to making our investigation public. I wanted to be as transparent with you as possible about what happened, how it happened and why it happened. And by doing so, I also want to encourage disclosure of these attacks more broadly.

This incident report provides details on the attack including the methods used by the attacker to infiltrate The Australian National University (ANU) systems. To my knowledge, this publicly available report is the first of its kind in Australia following a cyber attack on a public institution.

I have made this report public because it contains valuable lessons not just for ANU, but for all Australian organisations who are increasingly likely to be the target of cyber attacks. It is confronting to say this, but we are certainly not alone, and many organisations will already have been hacked, perhaps without their knowledge. I hope this report will help them protect themselves, and their data and their communities.

As I said in my statement on 4 June 2019, the perpetrators of our data breach were extremely sophisticated. This report details the level of sophistication, the likes of which has shocked even the most experienced Australian security experts.

While it’s clear we moved quickly to implement hardening and security improvement measures following our first cyber-attack in May 2018, this report shows we could have done more.

The report outlines where those lessons for ANU have been learned and what we are doing to further protect our systems. But we have to strike a balance and this report cannot be an instruction manual for would-be hackers to launch another attack. I have asked for this report to be as transparent as is allowable to ensure our community is well-informed, but not so that criminals are armed with information that compromises our systems or that of another organisation.

Despite our considerable forensic work, we have not been able to determine, accurately, which records were taken. However, our analysis has been able to establish that while the hackers had access to data up to 19-years-old, the hackers took much less than the 19 years’ worth of data we originally feared. We also knew the stolen data has not been further misused. Frustratingly this brings us no closer to the motivations of the actor.

I thank all those involved in the response to this incident and in the preparation of this report, particularly our colleagues across Commonwealth security agencies, IDCARE and Northrop Grumman.

Finally, and most importantly, I wish to apologise to the victims of this data breach: our community.We are working constantly to ensure the protection of the data you entrust us with; and are investing heavily in measures to reduce the risks of this occurring again, including a multi-year information security investment program. But we must all remain vigilant and follow the advice of security experts to protect our personal information.