Deakin University has revealed a data breach impacting almost 47,000 current and past students, along with a ‘smishing’ attempt that compromised a legitimate communications channel to target 10,000 current students
The Victorian university said it had been “targeted in a cyber attack” where a single staff member’s login credentials were compromised.
The credentials allowed the attacker “to access information held by a third-party provider” that Deakin pays “to forward messages prepared by the university to students via SMS.”
“The information accessed by the unauthorised person was then used to send an SMS, as if from Deakin, to 9997 Deakin students,” the university said in a statement.
The smish was a parcel delivery scam that directed students to a webform that sought additional information, such as a payment card, to free a fake parcel from customs.
Deakin University said it had taken “immediate action” to pause its use of the communications channel.
However, the attacker was able to go further than the smish campaign, and download “the contact details of 46,980 current and past Deakin students.”
“The contact details included student name, student ID, student mobile number, Deakin email address and special comments,” it said.
“The special comments included recent unit results.”
Deakin University said it would report the breach and seek guidance from the Office of the Victorian Information Commissioner (OVIC).
Its own investigation of the incident is also continuing, including work “with the third-party provider to ensure security protocols are enhanced to prevent any recurrence of this breach.”
The university apologised for the incident.