ANU releases detailed account of data breach

2 October 2019

This wasn't a smash and grab. This was a diamond heist | ANU Vice-Chancellor, Professor Brian Schmidt

The Australian National University (ANU) has today released a comprehensive public report into the late-2018 data breach announced on 4 June this year.

The report is the culmination of months of investigation into the hack and has been shared with all ANU staff, students, alumni and wider community.

It outlines the incredible level of sophistication behind the hack as well as a detailed timeline of what happened and when.

ANU Vice-Chancellor Professor Brian Schmidt said he was committed to making the University's findings available to the entire ANU community.

"I want to be as transparent with my staff, students, alumni and wider community as possible about what happened, how it happened and why it happened," Professor Schmidt said.

"And by doing so, I also want to encourage disclosure of these attacks more broadly.

"Most importantly, I wish to once again apologise to the victims of this data breach: our community. We are doing everything we can to stop this from happening again."

Professor Schmidt said the report shows the hack was so sophisticated it "has shocked even the most experienced Australian security experts".

"This wasn't a smash and grab. It was a diamond heist," Professor Schmidt said.

"It was an extremely sophisticated operation, most likely carried out by a team of between five to 15 people working around the clock.

"It's likely they spent months planning this. They were organised and everyone knew their role.

"They evolved. They used custom-built malware and zero-day hacks to exploit unknown vulnerabilities in our system.

"They dismantled their operations as they went to cover their tracks.

"They brought their A team.

"This was a state of the art hack, carried out by an actor at the very top of their game and at the very cutting edge."

Professor Schmidt said the University was investing in information security technology, processes, culture and leadership.

"We are working constantly to ensure the protection of the data that people entrust to us," he said.

"And we are investing heavily in measures to reduce the risks of this occurring again, including a multi-year information security investment program.

"But we must all remain vigilant and follow the advice of security experts to protect our personal information."

The Vice-Chancellor said he hoped the ANU report also helped better prepare other organisations confronting a complex and constantly evolving cybersecurity landscape.

"I have made this report public because it contains valuable lessons not just for ANU, but for all Australian organisations who are increasingly likely to be the target of cyber attacks," Professor Schmidt said.

"It is confronting to say this, but we are certainly not alone, and many organisations will already have been hacked, perhaps without their knowledge. I hope this report will help them protect themselves, and their data and their communities."

The full report is available at: