This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Queensland University of Technology

Summary

Queensland University of Technology (QUT) disclosed a cyberattack on 1 January 2023, though the data was actually stolen in an attack that occurred on 22 December 2022. The Royal ransomware group compromised the university's systems, stealing data belonging to 11,405 individuals including staff and students. The attackers leaked HR files, email communications, ID documents, and financial records, with bank account numbers and 3,820 tax file numbers among the compromised information.

What Happened

QUT became aware of the cyber attack after campus printers began printing ransomware notes in bulk. The attack occurred on 22 December 2022, but the university didn't disclose it publicly until 1 January 2023. The university linked the attack to the Royal ransomware variant, a relatively new ransomware group that emerged in 2022.

QUT immediately shut down all IT systems to prevent the attack's spread. The shutdown included the Blackboard teaching system (used for online learning), various staff systems including the Cisco-based remote access network, network storage, and printers. The attack occurred during the holiday period, just after the end of the academic year.

The Royal ransomware group leaked HR files, email and letter communications, ID cards and documents, and financial and administrative documents. The group stated that the leaked data represented 10% of the total data stolen during the attack, suggesting a much larger volume of information was exfiltrated.

Impact on Individuals

The breach affected 11,405 individuals:

  • 2,492 current staff members
  • 8,846 former staff members
  • 17 current students
  • 50 former students

The compromised data included bank account numbers for an unspecified number of individuals, and tax file numbers for 3,820 people. The exposure of tax file numbers is particularly concerning as these are permanent identifiers used by the Australian Tax Office and cannot be easily changed, creating long-term identity theft risks.

The leaked HR files, employment records, and internal communications could also cause reputational harm or embarrassment to affected individuals, particularly if performance reviews, disciplinary matters, or sensitive workplace issues were included.

Organisational Response

QUT took immediate action to contain the attack by shutting down IT systems across the campus. The university worked with cyber security experts and law enforcement to investigate the breach and secure its systems.

The timing of the attack, during the holiday period between Christmas and New Year, complicated the response and notification process. The university had to balance the need to respond quickly with the practical challenges of many staff being on leave.

QUT notified affected individuals and relevant authorities including the Office of the Australian Information Commissioner. The university worked to restore services whilst ensuring systems were secure before bringing them back online.

Verification Source: View original statement