ADFA hack alarm bells

The University of New South Wales (UNSW) Canberra College was hacked into on 15 November 2012 by a hacker known as Darwinaire who is associated with the Anonymous group. The incident has seen private details of thousands of staff and students at the Australian Defence Force Academy (ADFA) pilfered in what is tantamount to a national security failure.

The relative ease with which the hacker was able to break in should set alarm bells ringing at  ADFA. Equally alarming is the anaemic response of those charged with keeping the information secure in the first place.

Darwinaire’s candid comments to Fairfax not only highlight the weakness of the security protocols in place but also raise serious questions about accountability.

The hacker told Fairfax that he was shocked by the lack of online security at the UNSW Canberra College

"I know right, very surprised I didn't get kicked out. So simple, took like three minutes.”

He also told Fairfax he carried out the hack attack because he was bored and did it for fun.

UNSW has stated that it took action to reduce the possibility of further hacking when the hack attack was identified.  However, the email sent to students and staff a day after the hack are quite an amazing read.

Too much spin, too little action

The university makes two remarkable claims in the email

“We believe that the impact on you will be minimal but you should still carefully read the information below ."

"Student [staff] name and birthday information may be used for attempts at identity theft and again this requires additional vigilance.”

The university makes an unjustified claim that  the impact on individuals will be minimal and then moves on to place the onus onto the 10,000 staff and students affected to remain "vigilant" in case the stolen information is used in the future for identity theft. 

The future for most of the students attending the college may be 60 or more years. Why should they remain vigilant for the rest of their lives simply because an organisation which owes them a duty of care was lax?  Not only is UNSW running with ridiculous spin on this matter but appears to have forgotten who the people are that attend the UNSW Canberra College. 

A forensic examination

Given that ADFA is the testing ground of our current and future military leaders the data breach should be treated as a national security incident and warrants a thorough forensic examination.

The loss of any personal information that may be used to build a profile on military officers or to impersonate a military officer must be taken seriously by the Minister for Defence Stephen Smith and he should immediately call an inquiry into the matter. The ability to impersonate military leaders using digital means is a key weapon that will be employed in future warfare. 

It is for this reason that my advice to Stephen Smith and to Defence is that all military members, especially commissioned officers should be required to become invisible on the internet at the point they enter the military until such time as they retire - yes that means no social media, no online games, no Apple iTunes or Google accounts and so on. 

Defence must take action now and send specialists to investigate network and information security at the UNSW Canberra College. A report should be prepared within 30 days and recommendations made regarding how to ensure a similar data breach never occurs again at the UNSW Canberra College. The UNSW Canberra College should be forced to act on the outcome of the investigation. 

Making accountability paramount

This event occurred more than two weeks ago and has only recently been made public. Has UNSW submitted a data breach report  to the Office of the Australian Information Commissioner (OAIC)? 

If not, why not? As this is my alma mater I was dismayed to hear that my personal information may have been placed on the web. While it appears that my personal information has not been compromised (there were only a couple of computers on the campus when I attended) I found the matter a cause for concern.  Government, companies and organisations need to understand that people are concerned about their personal information and it is not sufficient to make statements like "We believe that the impact on you will be minimal". Failure to secure customer information is not something that should be shrugged off. 

The UNSW should identify who was responsible for the data breach. Should someone lose their job for a data breach of this magnitude? Absolutely.

Should UNSW be held accountable by the people affected by the data breach? Yes. What is wrong about this situation is that week after week Australians are told of yet another major hacking event. Government, companies and organisations are not required to report data breaches to the OAIC and the penalty for lax information security is a dose of bad press. 

It appears the only way that action will be taken to force better security of personal private information will be a class action law suit against a large organisation that has compromised customer details. It may actually be in our best interest that this happen sooner rather than later. It’s time for the government to take action to prevent major data breaches rather than wax lyrical about a two year data retention law to identify the villains in this story. 

 Mark Gregory is a Senior Lecturer in Electrical and Computer Engineering at RMIT University