Client Alert: Australian National University Data Breach
It can sometimes seem like there is an unending stream of news regarding data breaches and cyber-attacks, but few are so close to home. In June of this year, the Australian National University (ANU) advised that they had been the victim of a data breach resulting in “unauthorised access to significant amounts of personal staff, student and visitor data extending back 19 years”1.
From the information publicly released, the breach appears to have been committed by a sophisticated operator, with commentators also suggesting a plausible link to a foreign government2. Based on the 19 year timeframe over which the information was collected by the university, the personal information of an estimated 200,000 individuals was compromised, including names, addresses, dates of birth, payroll information, bank account details, passport details, as well as student records3.
This is the second publicised cyber security incident to affect the ANU in the space of 12 months, with the university publicly advising in July 2018 that its systems had been infiltrated. Press coverage at the time cited federal government officials as confirming that the cyber-attack was launched from China and that “the ANU computer network was significantly compromised”4.
To the ANU’s credit, it has taken a number of steps in the wake of this latest breach to mitigate the possible harm to affected individuals, stating: “The University has taken significant protection measures to strengthen our systems against such attacks. We have done this in collaboration with Australian government security agencies and our industry security partners such as Microsoft"5.
What can we learn from this data breach?
The ANU data breach is further proof that Australian organisations can no longer take a “head in the sand” approach to cyber security – believing that they are safe from or of little interest to malicious operators merely because of our geographical isolation.
Australian organisations and the data they hold represent a rich target for cyber-attackers – especially those organisations with close ties to government. In the immediate wake of the breach, a number of experts commented on the ANU’s attractiveness as a target for state-sponsored hackers, referencing in particular its large international student population, the number of ANU students who eventually go on to work in government positions6, and the university’s own close government ties7.
In addition, in spite of the ANU’s efforts to upgrade its systems and protect its data in the wake of the July 2018 incident8, those upgrades were not sufficient to prevent a further incident only months later. While the ANU have stated that those upgrades were essential in detecting this latest data breach9, their failure to prevent it shows that cyber related threats continue to evolve and change and that no system can ever be truly 100% secure.
Cyber Insurance Response
The ANU breach is just one of a multitude of data breaches affecting businesses around the globe, which can result in significant unanticipated expenditure, potential liability issues as well as catastrophic reputational and brand damage.
A specialised cyber insurance policy can provide valuable and immediate assistance with the unanticipated costs resulting from a data breach, as well as a ready-made incident response process to assist the insured in the immediate aftermath of a cyber incident, including costs for:
- Forensic investigation expenses to isolate, assess and address the cause of a data breach, including costs incurred to recreate and/or restore data.
- Legal expenses to determine notification obligations under legislation.
- Notifying affected individuals, and providing additional support services including credit and ID theft monitoring.
- Public relations and crisis management expenses to manage the reputational fallout of the breach.
- Defence costs arising from a resulting privacy or network security liability claim including legally insurable fines and penalties by a privacy regulator.
The risk of a major data breach or other cyber incident is no longer something which Australian organisations can afford to ignore. To meet these evolving risks, organisations require a comprehensive cyber risk management strategy that includes a strong understanding of risk exposure, optimised investment and risk transfer such as through cyber insurance to ensure an effective response and a timely return to normal operations.
This document and any recommendations, analysis, or advice provided by Marsh (collectively, the ‘Marsh Analysis’) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) arrange the insurance and is not the insurer. This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh’s prior written consent. Any statements concerning legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as legal advice, for which you should consult your own professional advisors. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. LCPA No. 19/062.