Deakin University has confirmed a hacker has mass spammed nearly 10,000 students and downloaded the contact details of almost 47,000 past and present students.
The cyber attack took place on July 10 when someone managed to hack a University staff member’s credentials and used them to access student information held by an unnamed third-party provider.
The hacker then sent 9,997 students a scam text message which asked the recipients to “urgently” pay customs fees for their ordered parcel. The SMS message also includes a link that takes the recipient to a form requesting their information, including credit card details.
In addition, the hacker gained access to the contact details of 46,980 current and past students, including student names, student IDs, mobile numbers, Deakin email addresses and recent results.
Deakin University spokesperson said in a blog post that the university has taken “immediate action” to stop further SMS messages from being sent and commenced an investigation into the data breach.
“An investigation into the data breach was immediately commenced,” the university said in a statement in which it has vowed to work to prevent future cyber attacks.
“Deakin sincerely apologies to those impacted by this incident and wants to assure the Deakin community that it is conducting a thorough investigation to prevent a similar incident from occurring again.”
Students who received the scam text are advised to change their Deakin password.
Universities Increasingly Become Victims of Cyber Attacks
The attack comes only days after Australian authorities registered new rules requiring telecommunication companies to identify, trace and block SMS scams to protect customers.
Deakin university noted it had reported the incident to the Office of the Victorian Information Commissioner (OVIC), which recently released a report on the security of personal information held by Victoria’s universities.
According to the report, Victoria’s universities have increasingly become targets for cyber attacks due to their inadequate risk management of personal information, lack of clear policies about handling information that is no longer needed, and lack of written guidance about third-party data sharing.
In February 2021, Victoria’s university RMIT was hit by a ransomware attack, causing the university to shut down its system and suspend online and in-person classes.
Data from Scamwatch showed that Australians had lost over $6.5 million (US$4.37 million) to SMS scams so far, an increase of 188 percent compared to a year earlier.
In addition, SMS scams accounted for nearly one-third of all reported scams in 2022, and the total losses suffered by scam victims amounted to over $257 million.
Alfred Bui contributed to this report.