Cyber Incident Victim: Australian Catholic University
Date:
May 2019
Location:
Australia
Summary
The Australian Catholic University experienced a data breach stemming from a phishing attack where fraudulent emails impersonating the institution tricked staff into divulging login credentials on a counterfeit page. A limited number of compromised accounts allowed unauthorized access to staff email accounts, calendars, and sensitive bank account details. The university responded by resetting affected credentials, alerting its financial institution, and notifying relevant data protection authorities, while emphasizing a commitment to enhancing cybersecurity awareness programs and IT system safeguards.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 22, 2019, the Australian Catholic University (ACU) discovered a data breach resulting from a phishing attack. The attackers impersonated ACU in emails that tricked staff into clicking malicious links or opening attachments, redirecting them to a fraudulent login page where credentials were harvested. Acting Vice-Chancellor Dr. Stephen Weller confirmed that a limited number of staff accounts were compromised through this method. The attackers used stolen credentials to access email accounts, calendars, and sensitive bank account details of affected personnel. The university did not disclose the exact timeline of the initial phishing campaign or the duration of unauthorized access prior to detection. Impacted systems included staff email and calendar services, though the breach’s full scope beyond these systems was not detailed. ACU emphasized that only a "very small number" of staff accounts were breached, limiting the exposure of financial data to those individuals.
Following the discovery, ACU immediately reset passwords for compromised accounts and initiated contact with its bank to secure affected financial information. The university formally notified the Office of the Australian Information Commissioner, fulfilling regulatory obligations. In public statements, ACU acknowledged its responsibility for data security and IT system integrity, committing to a review of its cybersecurity awareness programs for staff and students. The incident occurred amid heightened scrutiny of Australian universities’ security postures, as the Australian National University (ANU) had separately disclosed a major breach earlier that month involving 19 years of sensitive data. Unlike the ANU breach, which involved large-scale exfiltration of personal and financial records, ACU’s incident appeared confined to targeted staff account compromises without evidence of data manipulation or broader systemic infiltration. The university concluded its initial response by reinforcing its focus on preventive security measures rather than disclosing specific long-term remediation steps.