The data breach of UTAS files containing the personal information of almost 20,000 students is a timely reminder of the importance of cyber security according to TasICT – the Peak Industry Body for the Information, Communication and Technology sector. While the incident was regrettable, the industry body has praised UTAS for the way it has been up-front and open in its communication process after becoming aware of the breach and supported those affected.
TasICT Cyber Security Sub-Committee Chair and proprietor of leading online security business AQ Advisory Andrew Quill, said “Although the data breach was not a ‘hack’, it demonstrates the need for careful attention to general deployment and use of sound, secure best practices and compliance monitoring”. Mr Quill added “Events such as this do still occur in Tasmania, which is why systems should be deployed with a ‘Secure by design’ philosophy not bolting security on after”. “Cyber Security should be reviewed and assessed as part of businesses change management processes to ensure a change doesn’t weaken security. Mr Quill recommended that organisations ensure best practice hardening processes are undertaken and regularly reviewed.
Other security tips include limiting sharing and user access permissions to only what is needed to undertake the required tasks, and to be mindful of and undertake regular reviews to ensure systems do not have complacent setting on deployment or as part of significant changes. Security education is paramount in any organisation in reducing the likelihood of accidental or malicious security compromise. At the end of the day security is everybody’s business
In this instance there was no evidence the data breach was the result of malicious activity, and the data was only accessible by those with a UTAS account. It was of a combination of a lack of understanding by users and some undesirable side effects of the Microsoft O365 product suite. Although the data breach was caused by incorrectly configured security settings on shared files, TasICT highlighted the incident as an example of the importance of cyber security and the need for all organisations large and small to manage online safety as they would any other business risk.
The Office of the Australian Information Commissioner had been notified by the University which has also contacted the students and set up a help line.