Personal details of students, staff and visitors were exposed in a "sophisticated" data breach at the Australian National University in May, the university revealed on Tuesday.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
Nineteen years worth of personal data, including names, addresses, phone numbers, email addresses bank account details, and passports were accessed during the data breach.
In a message to students, Vice Chancellor Brian Schmidt said "a sophisticated operator" accessed the university's systems in late 2018 but the breach was not detected until May 17.
But what does that mean for students, staff and visitors at the university? (Note the university has released its own FAQ here.)
What should I do?
Change the password you use at ANU, right now.
The university's Chief Information Security Officer said students or staff who had not changed their university password since November 2018 should do so immediately.
If you use this same password or a similar password elsewhere at ANU or anywhere outside of ANU, say for Facebook or online banking, then you should change it too. It's always best to use different passwords for each service you use.
The best advice really, is to change your password for everything regardless.
The Office of the Australian Information Commissioner has this guide on what to do if your data has been breached.
What was taken?
Nineteen years worth of names, addresses, phone numbers, dates of birth, emergency contact details, tax file numbers, payroll information, bank account details, student academic records and student academic transcripts.
But the university said "systems that store credit cards, travel arrangements, police history checks, workers' compensation, some performance development records or medical records have not been affected. The alumni database was not breached".
Can my identity be stolen?
UNSW Canberra Cyber director Nigel Phair said the information is enough to get consumer credit, a mobile phone plan, a car loan and reset your social media accounts.
How can I check my identity has been stolen?
There are services like Equifax, illion, the Tasmanian Collection Service or Experian. But these all cost money.
Did someone read my emails?
According to the university, no.
What can I do to keep my data safe?
Experts recommending changing your password regularly and using two-factor authentication where possible.
They also recommend using a password manager, which Mr Phair said generates randoms passwords in an app or online "vault" which you then access with one password.
"It's similar to an Apple Keychain, where it remembers your password, but it's that next little step. It randomly generates a password so difficult you're not going to be able to remember," Mr Phair said.
Internet browsers like Firefox or Chrome have similar things to Apple's Keychain, in that it can store multiple passwords, but still requires you to put in the passwords yourself.
Two-factor authentication can be used on your email, social media or online banking. This gives you the option of putting in your password then receiving an SMS with a randomly generated code. Google also has an app for your phone which generates the code for you, so does Facebook.
What else should I be on the lookout for?
The university has warned people to watch for suspicious emails from unknown senders or which appear to be from a known source.
Don't click on any links or attachments in these emails. Be suspicious of emails from known senders which ask you to enter in personal information, like credit card details.
"Never give any sensitive or personal details over email no matter how legitimate or authoritative the source may seem," the university said.
Hasn't this happened before and is it related?
In July last year, Chinese-based hackers infiltrated the university's IT systems, potentially compromising national security and defence research projects.
The university hosts the National Security College, which trains Australian defence and intelligence personnel.
Professor Schmidt said this new breach happened in "late 2018" but the university has not confirmed whether it was related.
Mr Phair said people could "safely assume" this recent breach was related to last year's.
Am I personally safe?
The university has said yes but if you pick up on any suspicious activity, emails or phone calls you should report it to ANU Security on 02 6125 2249. The university said people concerned about their immediate safety should call 000.
Mr Phair said people should keep on the lookout for any random invitations, emails or phone calls, warning international students may be potentially "groomed".
"If you've been a staff or a student at ANU you should have a heightened sense of your online footprint," Mr Phair said.
Who do I report suspicious activity too?
You can report it to the university, police or the Australian Cybersecurity Online Reporting Network.