An attack on Deakin University that compromised nearly 47,000 current and past students was conducted with smishing attempts.
Attack details
On Sunday 10 July, an unauthorised person accessed information held by a third-party provider using a staff member’s username and password.
The Victorian university was using a third party to forward messages prepared by the university to students via SMS. A SMS was sent to 9,997 students using information accessed by the attacker, posing as a message from Deakin.
This smish was a parcel delivery scam containing a link that, when clicked, led users to a website asking for additional information, such as credit card information.
The scam text read: “Your parcel is available. You have to pay customs fees urgently on the link below.” The message was followed by two links, both of which took the student to a form which asked for extra information including credit card details.
The attacker managed to obtain the contact information for 46,980 current and former students at Deakin University. Names, mobile numbers, university emails, and “special comments” such as recent exam results were among the information provided.
“Deakin sincerely apologises to those impacted by this incident and wants to assure the Deakin community that it is conducting a thorough investigation to prevent a similar incident from occurring again,” said the university.
According to the university, the Office of the Victorian Information Commissioner (OVIC) will be consulted regarding the breach. In addition, it will make sure security protocols are enhanced with the third-party provider to prevent any recurrence.
Education’s biggest challenge: the human factor
The reason educational institutions are subject to so many cyberattacks is mainly due to an extensive attack surface, which can lead to numerous vulnerabilities. With the amount of valuable information stored, as well as the rapid digitisation and increased use of BYOD devices, cybercriminals unfortunately find this an attractive target.
Preventing and responding to data breaches in the education sector
- Cybersecurity training: It’s important to provide relevant cyber awareness training to staff and students, who play an important role in organisational cybersecurity, and are often the ones preventing phishing and ransomware attacks.
- Update systems regularly: Updates to operating systems, browsers, and applications fix vulnerabilities and protect against new threats. In terms of cyber safety, this is a simple good practice that can make all the difference.
- Preparation is key: Although raising awareness and instilling good security habits is important, this may not be enough. It’s important to be prepared for the possibility that your school or university could be attacked. If an incident occurs, make sure your team has an incident response plan or ransomware response checklist. An experienced cybersecurity organisation can cut through the chaos and take the right steps before, during or after a crisis hits.
