Deakin University has confirmed that a hacker mass-spam nearly 10,000 students and downloaded the contact details of nearly 47,000 past and present students.
The cyberattack took place on July 10, when someone managed to hack a university employee’s credentials and use them to access student information stored with an unnamed third party.
The hacker then sent 9,997 students a scam text message asking recipients to “urgently” pay customs duties on their ordered package. The SMS message also contains a link that takes the recipient to a form requesting their information, including credit card details.
In addition, the hacker gained access to the contact details of 46,980 current and former students, including student names, student IDs, cell phone numbers, Deakin email addresses, and recent scores.
The Deakin University spokesman said in a blog post that the university took “immediate action” to stop sending further text messages and opened an investigation into the data breach.
“An investigation into the data breach was launched immediately,” the university said in a statement, pledging to work to prevent future cyberattacks.
“Deakin sincerely apologizes to everyone affected by this incident and would like to reassure the Deakin community that they are conducting a thorough investigation to prevent a similar incident from happening again.”
Students who received the scam text are advised to change their deakin password.
Universities are increasingly becoming victims of cyber attacks
The attack comes just days after Australian authorities registered new rules requiring telecom companies to identify, track and block SMS scams to protect customers.
Deakin University said it reported the incident to the Office of the Victorian Information Commissioner (OVIC), which recently issued a report on the security of personal information at the universities of Victoria.
According to the report, Victoria’s universities have become increasingly vulnerable to cyberattacks due to their poor management of personal data risk, lack of clear policies on how to handle information that is no longer needed and lack of written guidance on how to share data with third parties.
In February 2021, the University of Victoria’s RMIT was hit by a ransomware attack, causing the university to shut down its system and suspend online and face-to-face classes.
Data from Scamwatch showed that Australians have lost over $6.5 million ($4.37 million) to SMS scams so far, up 188 percent year-on-year.
Additionally, SMS scams accounted for nearly a third of all reported scams in 2022, and total losses suffered by scam victims totaled over $257 million.
Alfred Bui contributed to this report.