Last month, a former student Western Sydney U student was charged with multiple hacks of its records.
WSU is not on its own – according to the NSW Audit Office, seven of the state’s ten public universities had cyber-security incidents in 2023-24, including one unnamed that copped “numerous and invasive” cyber-attacks on its records, affecting up to 10,000 people and continuing into this year.
The NSW Audit Office spells out the size of the State-wide risk in its recent analysis of universities’ operations.
It reports the top three types of attacks were
- email attachments (67 per cent of incidents)
- remote/unauthorised access
- theft and malice – a staff member at one university exposed sensitive information.
Of the seven universities successfully targeted, all had user accounts comprised and were infected with malware, six were scammed and had data protections breached, four were hacked and had business emails compromised. Four were hit with ransomware.
The other three reported no activity that met the threshold for mandatory reporting to state/national agencies.
At least that was the AO found. “Universities do not consistently follow their own procedures for recording cyber incidents, data breaches and privacy data breaches,” it reports. “
“There is a gap between management reporting of the causes of cyber security incidents and what their detailed analysis identifies. Cyber security teams advised that they did not report the causes to management because of shortcomings in analytical metrics and reporting capabilities,” the AO warns.
Attackers were outsiders (five universities), criminal organisations (three), internal users (two) and students (two).
Universities are rich targets, holding personal records and IP and research information. Plus they are easily attacked with tens of thousands of users accessing multiple systems.
