Sent to the ANU community on 2 October 2019

**********************************************************************

Dear all,

You will recall when I notified you in June this year that we had been the victims of a data breach I promised to release the findings of the investigation we were conducting into the incident.

That report is now available.

To my knowledge, this is the first publicly available report of its kind in Australia and it contains valuable lessons, not just for ANU but for all Australian organisations who are increasingly likely to be the target of cyber attacks.

Our forensic investigation found the data breach was the work of a highly sophisticated actor using a targeted spearphishing email that did not require the affected staff member to download an attachment or click on the link. It's shocking in its sophistication.

The investigation also found that while we cannot confirm exactly what data was taken, we know it was much less than the 19 years' worth we originally reported. To date, we've found no evidence personal data has been misused and we are continually monitoring this situation.

The report outlines the lessons for ANU and what we are doing to further protect our systems. But we have to strike a balance and this report cannot be an instruction manual for would-be hackers to launch another attack. I have asked for this report to be as transparent as is allowable to ensure our community is well-informed, but not so that criminals are armed with information that compromises our systems or that of another organisation.

My intention is for this report to provide answers to a lot of your questions, but I encourage the ANU community to take a keen interest in our cyber security. Therefore, our Chief Information Security Officer will be holding a series of town halls where you can ask more questions. Details of those town halls will be circulated shortly. We have also updated the FAQs on the website.

Finally, and most importantly, I wish to apologise to you, the victims of this data breach. We are working constantly to ensure the protection of the data you entrust us with; and are investing heavily in measures to reduce the risks of this occurring again. However, we must all remain vigilant and follow the advice of security experts to protect our personal information.

Regards,

Brian