Australian Cyber Attack, 13 July 2022

Deakin University reveals privacy breach of 47,000 students’ details

Subset targeted with smish sent via officially-used SMS channel.

Company Report: Deakin has been targeted in a cyber attack this week – here’s what happened and what you should do
Source: Deakin University reveals breach of 47,000 students’ details | iTnews

Related incidents from Victoria and the Education and Training sector..

Deakin University has revealed a data breach impacting almost 47,000 current and past students, along with a ‘SMiShingSMiShing or smish is a type of phishing where the message is sent via SMS text message rather than email.
’ attempt that compromised a legitimate communications channel to target 10,000 current students.

On Sunday 10 July, Deakin University became aware of an incident in which a staff member’s username and password was hacked and used by an unauthorised person to access information held by a third-party provider.

This third-party has been engaged by Deakin to forward messages prepared by the University to students via SMS. The information accessed by the unauthorised person was then used to send an SMS, as if from Deakin, to 9,997. The smish was a parcel delivery scam that directed students to a webform that sought additional information, such as a payment card, to free a fake parcel from customs.

However, the attacker was able to go further than the smish campaign, and download “the contact details of 46,980 current and past Deakin students.”

“The contact details included student name, student ID, student mobile number, Deakin email address and special comments,” it said.

“The special comments included recent unit results.”

Deakin will report the breach, and be guided by, the Office of the Victorian Information Commissioner (OVIC).

Deakin continues to investigate the incident and is working with the third-party provider to ensure security protocols are enhanced to prevent any recurrence of this breach.