Cyber Incident Victim: Deakin University

On July 10, 2022, Deakin University discovered a cyberattack originating from a compromised staff member's account, which provided unauthorized access to a third-party SMS messaging platform used by the institution. Threat actors exploited these credentials to exfiltrate personal data of 46,980 current and former students, including names, student ID numbers, mobile phone numbers, Deakin email addresses, and in some cases recent academic unit results. The attackers simultaneously deployed a smishing campaign, sending fraudulent text messages impersonating the university to 9,997 students. These messages contained a link directing recipients to a phishing form requesting credit card details under the false pretext of processing customs fees for a package. University officials terminated further SMS transmissions upon detection, though the duration of unauthorized access to the third-party system remained unclear.

Deakin University immediately initiated an investigation with assistance from the Office of the Victorian Information Commissioner and an external cybersecurity firm. The institution notified all affected individuals, directing them to IDCARE's identity support services using referral code DUVL, while advising financial institution contacts for those who submitted payment details. Security protocols at the third-party provider were enhanced to prevent recurrence, though the initial compromise method for the staff credentials was not disclosed. The breach coincided with Australian regulatory reforms targeting SMS scams, as telecommunications providers faced new mandates to block fraudulent texts following a 188% annual increase in SMS scam losses exceeding AU$6.5 million. Impacted students received guidance on recognizing phishing attempts through official university channels, with Deakin reaffirming that legitimate payment requests would only occur through standardized institutional processes.