Students and staff members’ personal information is vulnerable to a hack because of a long-running failure to respond to cybersecurity threats at Queensland universities, an audit has found.
The latest report from the Queensland Audit Office warned cybersecurity issues remain unresolved after being discovered as far back as 2021.
Examining state-affiliated bodies – including the Department of Trade, Employment and Training, Education Department, public universities, TAFE Queensland, and Queensland’s eight grammar schools – the report found the universities were most at risk.
“Universities need to continue strengthening their controls to manage evolving cybersecurity risks and to prevent inappropriate access to the information they hold,” the report said.
“Strong internal controls over information systems help protect sensitive data, support operational stability, and preserve public trust.”
In one instance, the report found a former university employee kept their account access for some time after leaving the role.
While 72 per cent of general issues outlined in the previous audit were addressed, Thursday’s report pointed to cybersecurity weaknesses first flagged in the 2020 education report, released in mid-2021.
“Any unauthorised access could result in fraud or error, and significant reputation damage,” the 2021 report said.
Weak security measures remaining in the 2025 report included password protocols and the level of access staff and third-party users had to potentially sensitive information.
Queensland universities were among several Australian education bodies – including the Queensland Education Department – breached in early May by a global ransomware hack targeting a third-party educational management and communications management system, Canvas.
Students and staff members from Queensland University of Technology, Griffith University, and University of the Sunshine Coast all had their personal information compromised.
Education Minister John-Paul Langbroek also revealed the state’s QLearn software was built within Canvas, threatening the data of students and staff at every state school.
Globally, more than 9000 institutions were compromised in the attack, including Australian interstate institutions such as University of Melbourne and TasTAFE.
Responding to the fresh audit report, director-general Sharon Schimming said the education department had “implemented a range of controls to strengthen identity and access management” since it was first instructed to shore up cybersecurity.
“The department’s audit and risk management committee will monitor any required actions to address the relevant recommendations,” Schimming said.
The report also found Queensland’s universities had boosted income by about 5 per cent from the previous year, coming in large part from international student enrolments.
“All but one university made a surplus this year,” the report said.
From our partners
Read the full article here
