Australia data breach: 55,000 files accessed at Melbourne Polytechnic
A 34-year-old man has been charged in connection with “highly complex” breach
A higher education institution in Victoria, Australia, has disclosed a data breach impacting around 55,000 files containing the personal data of staff, students, and suppliers.
In a security alert issued yesterday (March 11), Melbourne Polytechnic said Victoria Police had notified them that an individual who attended the campus in late 2018 had “obtained unauthorised access to Melbourne Polytechnic’s computer systems by hard logging onto the network; overcoming security measures”.
The technical and further education institution (TFE) said that the breach affected personal data – including email addresses, passwords, and financial and health information – that was held in some of its IT systems between September and December 2018.
Victoria Police told The Daily Swig that detectives had “charged a man following an investigation into an alleged data breach”.
A second, unidentified educational institution also appears to have been targeted, since the police added that “it is alleged the man gained unauthorised access to data from two higher education institutions between August and December 2018”.
The suspect, 34, “was also in possession of other unauthorised data”.
Compromised files
Melbourne Polytechnic, which accommodates more than 50,000 students, said for “the vast majority” of victims only Melbourne Polytechnic usernames, passwords, and email addresses were exposed.
However, it admitted it was possible that “any information held in those Melbourne Polytechnic accounts at that time was exposed”.
It added that “for a smaller number of people, financial information such as banking and credit card details, passport and drivers licence numbers and some confidential health details may have been accessed.”
The TFE said it had conducted an investigation after receiving the compromised files from the police in late October 2019.
This month it has sent letters to all affected individuals itemizing which of their personal data types had been accessed.
The letters also included recommendations from IDCARE, Australia’s cybersecurity support service, on how victims can protect themselves.
Melbourne Polytechnic has additionally established a call centre to field queries from affected individuals.
Security improvements
In a statement, Melbourne Polytechnic CEO Frances Coppolillo offered “sincere apologies” to the breach victims.
“In response to this incident, we have completed an independent review of our cybersecurity procedures and are implementing a range of improvements including software and hardware upgrades to better protect our IT systems,” she said.
“This data breach was highly complex in nature and it has taken many months to fully understand its scale and impact.”
Educational institutions are an increasingly popular target for cyber-attacks. In February, Maastricht University in the Netherlands admitted to paying a $220,000 ransom following a crippling ransomware attack, while Australian Catholic University (ACU) and Australian National University (ANU) both fell prey to data breaches in 2019.
The Daily Swig has contacted Melbourne Polytechnic for further information.
RELATED Phishing attack: US insurance company reports data security incident
Gloss