Experts say a data breach cannot be ruled out after four denial of service (DOS) attacks that led to the shutting down of the census website last night.
These kinds of attacks overload a website by simulating lots of users trying to access the site at the same time.
During a DOS attack, “you may have some malware or some hacking which is separate to the denial of service”, according to University of Technology Sydney fellow and IT expert Rob Livingstone.
“[In a DOS attack] they just want to take the site down and render it unavailable. A data breach, from a privacy perspective, is not usually associated with a DOS attack,” he said.
“But, you can’t say absolutely that privacy is not a risk because with the internet, as soon as you expose yourself to the outside world, anything can happen.”
This morning, the Australian Bureau of Statistics’ (ABS) David Kalisch assured Australians “that the data they provided is safe”.
In the lead-up to census night, the ABS spent hundreds of thousands of dollars on load testing and said its servers could handle 1 million forms per hour.
Mr Livingstone said proper risk assessment and the implementing of counter measures should prevent DOS attacks from occurring.
“[But] the bottom line is that the service is still down, the counter measures have not been effective,” he said.
But Richard Buckland, the board director of the Australian Computer Society and head of cyber security education at the University of NSW, said there was almost no way to prevent data being hacked.
“Banks, the US, even the NSA [US National Security Agency] has been hacked. There’s no way someone like the ABS could rule out a hack, in fact people have been worried about that for quite a long time,” he said.
“This pool of sensitive data is very attractive target to the three sorts of attackers we normally have, it’s attractive to hacktivists — and we saw that last night — it is attractive to nation-states and attractive to cyber criminals because it’s worth money”.
Mr Buckland said the hack was most likely, at a guess, “a form of hacktivism — someone trying to bring the site down and discredit the ABS” and would be surprised if personal information was at risk”.
“My guess would be the point of the attack was to raise awareness and to discredit the ABS. If you wanted the data, a better time to get it would be after the census was complete,” he said.
RMIT internet security expert Mark Gregory has questioned the ABS’ previous promises about data security.
“The statements about never having a data breach, those statements have been taken off their website in the last couple of days, so those statements have disappeared,” Dr Gregory said.
“What it means is that the ABS has launched themselves into a whole disinformation campaign.”
Denial of service or just greater numbers than expected?
He has also questioned whether it was indeed a denial of service attack.
“The system, as we have learnt, was built to handle about a million transactions in an hour. A million people doing their return in an hour,” Dr Gregory said.
“Now, my understanding is that most Australians have dinner, sit down, try and do the census. If you had 5 or 6 million households trying to do their census at the same time, that’s similar to a denial of service attack.
“We need some proof this was from outside Australia and not just simply Australians trying to do the census”.
The census website was unavailable again this morning.
Earlier on Tuesday evening Prime Minister Malcolm Turnbull tweeted that he had completed the census and it was “easy to do” but thousands of Australians were prevented from taking part as the ABS website crashed.
The ABS had estimated that two-thirds of Australians would fill out the census online this year for the first time, rather than on paper.
Mr Kalisch said he aimed to have the website up and running as soon as possible to allow people to complete their census forms.
People officially have until September 23 to complete the census online, and the ABS has said people will not be fined for not completing the forms on census night.