Deakin University — The SMS Vendor

Deakin University is a Victorian university with around 47,000 enrolled students. To send mass SMS communications - exam reminders, enrolment notices, emergency alerts - the university used a third-party SMS forwarding service. Staff prepared message content, then the third-party platform handled delivery to student mobile numbers.

Deakin's information security policy required strong authentication for any system holding student personal information. The same policy applied to "any third-party service used by the university for communication or record-keeping." Internal documentation listed the SMS vendor as one such service.

In July 2022, a staff member's username and password for the SMS vendor were obtained by an attacker. The vendor's platform did not enforce multi-factor authentication for university accounts. Using the credentials, the attacker logged in directly, accessed the contact details of 46,980 current and past students - including names, mobile numbers, university email addresses and recent exam result comments - and used the platform to send a phishing SMS to 9,997 students. The fake message claimed to be a parcel delivery notification and asked recipients to enter credit card details on a spoofed web form.