AusCERT investigating a data dump claimed to be from the Department of Education

AusCERT investigating a data dump claimed to be from the Department of Education

3:40pm 03/09/20 AEST

Updated below to clarify that first and last name are also included in the data. This doesn’t change our assessment.

Unless further developments occur, we believe no further research is required.

Please notify us if you find that your staff or students have used the service and you have concerns.

4:30pm 02/09/20 AEST

Working with Cosive, we’ve found signs that this is a re-publish of a dataset published in March 2020 or earlier, relating to a service called “K7 Maths”. The TLS on their site also correlates with what seems to be their Australian presence. It’s likely that the data came from an exposed Elasticsearch instance. There are no plaintext passwords exposed, just bcrypt hashes, although they can be cracked with enough effort.

Members concerned that their staff may have used this tool and may be included in the full dump should, where possible:

• Check with teaching and admin staff for usage of the service.
• Check mailboxes for sign-up emails from schoolcentre.com.au, k7maths.com or schoolcentre.com before that date.

If usage is found, we recommend:

• Consider that that credential may be compromised, and anywhere the password was re-used, may now be exploited.
  
  • A password reset for internal services is usually worthwhile, but consider your environment before applying this advice.
• Monitor staff accounts for suspicious logins – email, VPN, etc.
  • This can lead to business email compromise (BEC), unauthorised access to the network, malware being sent between users, and more.
• Notify AusCERT.

There’s a mitigating factor: the password hashes use the standard bcrypt algorithm, with a “cost factor” of ten rather than eight, which makes it four times harder than usual to crack.

We think that the only personal information in the dump is email address and country (edit: as well as first and last name) which would likely not count as a notifiable data breach. Our investigation there is incomplete. Consult your usual legal team if you have concerns.

4:00pm 02/09/20 AEST

We have a suspected source for the data, which is not a government agency. More information to follow.

9:50am 02/09/20 AEST

The dump refers to “the Australian Department of Education (edu.au)”, and no such organisation exists. We’ve reached out to likely candidates for comment.

9:15am 02/09/20 AEST

We’ve seen reports that an Australian educated-related data set of unknown origin has been published.

We’re looking into it now and will update this post as we get more information. We’ll also be posting updates on Twitter and LinkedIn.

The claim is that it’s from the Australian Department of Education, and was retrieved in 2019.

The claimed fields are:

• country_id
• created_at
• email
• encrypted_password (may be a bcrypt hash?)
• first_name
• id
• is_admin
• is_guest
• last_mail_at
• last_name
• last_sign_in_at
• newsletter
• region_id
• tags
• subscription
• orders