An attacker has infiltrated the systems of a West Australian TAFE and accessed the sensitive personal details of more than 13,000 students.
The unknown attacker gained unauthorised remote access to North Metropolitan TAFE's IT system on August 28 and September 5, WA Education minister Sue Ellery told parliament yesterday.
The hacker accessed details on an unknown number of staff and 13,782 students that included names and addresses as well as "some" encrypted passwords and IP addresses, she said.
However Ellery said there were no current password and log-in credentials accessed in the breach. Similarly there was "no evidence" that the attacker had managed to access student banking or financial information.
"As soon as this was discovered, immediate action was taken to shut down the system and to identify sources of the breaches," she said.
"I'm told it does appear to be a fairly unsophisticated effort, but nonetheless we need to be vigilant against this," she said.
The state's four other TAFE colleges had run scans of their networks to check for unauthorised access following the breach and had reported no issues, Ellery said.
WA Police is investigating the hack and the government has initiated an internal review.
The state government has long been criticised by WA auditor-general Colin Murphy for its weak security controls.
In June this year Murphy said he was fed up with repeatedly reporting the "same common weaknesses" that could be “easily addressed” at little cost.
His most recent review found easily-guessable passwords, unpatched systems, and unencrypted data stored on tape back-ups across the public service.
That same month the state government offered up a brief digital security policy [pdf] that it is in the process of implementing across whole-of-government.
