Swinburne University of Technology has confirmed personal information on staff, students, and external parties had inadvertently made its way into the wild.
It said it was advised last month that information of around 5,200 Swinburne staff and 100 Swinburne students was available on the internet.
This data, Swinburne said, was event registration information from multiple events from 2013 onwards. The event registration webpage is no longer available.
The information made available was name, email address, and, in some cases, a contact phone number.
“We took immediate action to investigate and respond to this data breach, including removing the information and conducting an audit across other similar sites,” the university said in a statement on Friday.
“We sincerely apologise to all those impacted by this data breach and for any concerns this has caused.”
Swinburne said it is currently in the process of contacting all individuals whose information was made available to apologise to them and offer appropriate support.
“We are also contacting around 200 other individuals not connected to Swinburne who had registered for the event and whose information was also made available,” it said.
The breach has been reported to the Office of the Australian Information Commissioner (OAIC), the Office of the Victorian Information Commissioner (OVIC), the Tertiary Education Quality and Standards Agency (TESQA), and the Victorian Education Department.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
The higher education sector in Australia could soon find itself considered as systems of national significance, with the government ready to enforce an “enhanced framework to uplift security and resilience” upon universities via the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
The Group of Eight (Go8) — comprising eight Australian universities — believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector and, therefore, does not feel higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.
“The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highly disproportionate to the likely degree and extent of criticality of the sector,” it said in February.
The Go8 comprises the University of Adelaide, the Australian National University, the University of Melbourne, Monash University, UNSW Sydney, the University of Queensland, the University of Sydney, and the University of Western Australia.
Swinburne made its own views available to the committee probing the Bill, in February saying that the cost of positive security obligations and enhanced cybersecurity measures for assets deemed to be systems of national significance would be difficult for universities to absorb, given the current funding situation and decrease in income from international student enrolments.
“Therefore, the Commonwealth must ensure that universities are adequately funded to meet their responsibility of providing quality education and respond to these new security requirements,” it wrote [PDF].
“While security from foreign interference is of paramount importance, equally important is the economic security provided by having a robust tertiary sector. We recommend that the government work closely with the sector to ensure that the legislation has minimal impact on essential university operations.”
The Australian National University (ANU) in late 2018 suffered a massive data breach that was discovered in May 2019, and revealed two weeks later in June.
The hackers gained access to up to 19 years’ worth of data in the system that houses the university’s human resources, financial management, student administration, and “enterprise e-forms systems”.
Then there was Melbourne’s RMIT University, which in February responded to reports it fell victim to a phishing attack, saying progress was slowly being made in restoring its systems.
At a recent Parliamentary Joint Committee on Intelligence and Security (PJCIS) hearing on the national security risks affecting the Australian higher education and research sector, discussions around the two security incidents were used by Home Affairs representatives to justify the inclusion of higher education and research in the Critical Infrastructure Bill.