The Australian National University (ANU) has confirmed that sensitive personal data belonging to staff and students was exposed to all members of the university community for several months due to a server misconfiguration.
What Happened
According to an email sent to staff and students on Tuesday, the breach occurred when a server containing personal information was misconfigured, making it accessible to anyone with ANU login credentials. The exposed data included names, addresses, phone numbers, dates of birth, emergency contact details, and in some cases, bank account information and tax file numbers.
Duration of Exposure
The university stated that the data was potentially visible from July 2023 until the issue was discovered and rectified on November 27, 2023. This means the information was accessible for nearly five months. ANU Vice-Chancellor Brian Schmidt expressed deep regret over the incident, saying, "We are extremely sorry that this has happened and understand the concern and frustration it will cause."
Impact and Response
ANU has launched an internal investigation and is working with cybersecurity experts to determine the full extent of the breach. The university is also contacting affected individuals directly and has set up a dedicated helpline. "We are taking this matter extremely seriously and are committed to ensuring that such an incident does not occur again," Schmidt added.
Previous Incidents
This is not the first data breach at ANU. In 2019, the university suffered a sophisticated cyberattack that compromised data going back 19 years. That incident led to a review of cybersecurity measures. The latest breach raises questions about ongoing vulnerabilities in the university's data protection systems.
Advice for Affected Individuals
ANU advises all staff and students to monitor their financial accounts and be vigilant for any suspicious activity. The university recommends changing passwords and enabling multi-factor authentication where possible. For those whose tax file numbers were exposed, the Australian Tax Office has been notified, and guidance is available on how to protect against identity theft.
