Australia responds after 'hacker attack' left millions of people unable to complete the census

Photo: Ian Waldie/Getty Images

The Australian Bureau of Statistics (ABS) and Turnbull government are in damage control today after the ABS was forced to shut down the Census website last night following a series of malicious attacks by hackers.

The ABS says there were four attacks known as a Distributed Denial of Service (DDoS), which is swarm of repeated requests to a website that often causes it to crash with the overload. Where the attacks came from has not been identified yet, and may be difficult because hackers can use malware to take over home and office computers to enlist them in the attack.

However, there are already security expert claiming it’s too early to say an attack caused the problem, with digital attacks maps showing no unusual DDoS activity in Australia.

As a result, only around 2 million of an estimated 12 million census forms were lodged online by Australian households before the ABS hit the kill switch and turned off the site at around 7.30pm on Tuesday.

The census site has still not returned.

The ABS has said people won’t be fined for failing to complete the form on August 9. Australian households have until September 23 to lodge the completed census.

As the fallout continues today, Business Insider is running a live blog to keep you up to date with things as they develop.

6.15pm: So the Census website has now been down for nearly 24 hours.

Over at The Conversation, Mike Johnstone from Edith Cowan University looks at what went wrong, but now the question is when will the site be back up for the other 8 million Australians who’d like to complete the census?

It’s now 3 hours since we last heard from the ABS, which is “still working to restore the service”.

How can it be taking so long after they told us it was all so simple this morning? We’ll see you tomorrow for the next round of explanations.

5.57pm: Some have been staggered by the $9.6 million cost for IBM to build the Census website

You may like to read this 2013 piece from BRW on the Queensland Health payroll software implementation – a $6.19 million contract IBM won in late 2007.

It features these lines:

The project wasn’t just late, it was two years late. It wasn’t just over-budget, it was $1.18 billion over-budget. It didn’t just have bugs, it had more than 35,000 payroll anomalies that resulted in real-world grief for nurses and other health employees.

AND:

IBM stands by the work it did for Queensland Health, though anecdotally it seems that the affair has tarnished Big Blue’s reputation in corporate Australia.

“Their reputation locally has been damaged by the debacle of the Queensland Health payroll project and the ongoing parliamentary inquiry into it which keeps it in the news,” one chief information officer told BRW privately.

Here’s the full story.

5.20pm: Here’s McCormack’s media conference from this morning.

Thanks Michael Keating.

5.15pm: Here’s the chart everyone’s been passing around today

See the DDoS “attempt” that confluenced the Census website? Someone’s going to have to produce proof soon before this gets a little too “children overboard”.

4.47pm: Minister Michael McCormack is not having a good day.

The Nationals MP, in charge of the census for the last three weeks, has had his personal website hacked – it the true hacked sense, since it featured a reference to “gay sex”. McCormack has been an vocal critic of homosexuality in previous years. The website is now down.

4.28pm: The best explanation we’ve seen of what happened so far.

screenshot

(Yes, it’s a joke.)

4.21pm: It’s been a long day. Who needs a laugh?

The Shovel has confirmed that Australia’s population is now 48, according to last night’s census.

Some key takeouts from the Census:

61% of Australians now work for the ABS

7% of Australians have the surname Turnbull

12% of Australians are current or former Australian prime ministers

0% of Australians have an internet connection

Thanks guys. We needed that. The rest is here.

4.02pm: Techsperts are lining up to take a whack at the ABS and IBM.

The Fin carries this story with assorted IT bosses lining up to say the two organisations basically got dacked.

Amy Gray from advocacy group Digital Rights Watch summed up best what many are thinking when she said:

“The Turnbull Government’s handling of last night’s online Census demonstrates both a total disrespect for personal privacy rights and lack of digital literacy.

“Now they are botching the explanation of what happened to cause the website to crash and making people even more distrustful of providing their information.”

3.35pm: The ABS has spoken about the “attempt to frustrate its collection of Census data”

Some 18 hours after it happened, the just published a statement about Tuesday’s series of unfortunate events on its website.

It cites four things in a “confluence of events” (yes, the borrowed the PM’s description for their statement) that happened just after 7.30pm.

No. 2 must have been a huge surprise (our emphasis in bold).

· A fourth denial of service attempt
· A large increase in traffic to the website with thousands of Australians logging on to complete their Census
· A hardware failure when a router became overloaded
· Occurrence of a false positive, which is essentially a false alarm in some of the system monitoring information.

It goes on to say:

The ABS applied an abundance of caution and took the precaution of closing down the online Census form to safeguard and to protect data already submitted, protect the system from further incidents, and minimise disruption on the Australian public of an unreliable service.

Government and ASD were notified by the ABS. Reviews by IBM, ASD and ABS have confirmed that this was not a hack – no Census data was compromised.

Had these events occurred in isolation, the online system would have been maintained.

ASD are investigating these events. The ABS is working to restore service. We will only restore the service when we know it is robust and secure, and when the ASD provides clearance to do so.

The ABS apologises to the Australian public for inconvenience caused and reassures Australia that no data has been lost or compromised.

But the Bureau may be over-egging the pudding when it says “the ABS has an unblemished record of protection of data”. That would be news to Supreme Court justice Elizabeth Hollingworth, who last year jailed former ABS analyst Christopher Hill three years and three months over what she labelled “the worst instance of insider trading to come before the courts”.

Hill nicked unpublished labour force, new capital expenditure, retail trade and building approvals data from the ABS between August 2013 and May 2014 in the $7 million scam.

Sure the ABS finishes the sentence “and there has never been a breach in relation to Census data”, but when you’re being so careful with words now – this morning it was a DDoS “attack”, but after the minister responsible subsequently declared it was “not an attack” the word is not uttered once in the 540 word statement and the DDoS has been downgraded to an “attempt”.

Turnbull’s cyber security advisor, Alistair MacGibbon, is going to review things when it’s all calmed down, the ABS says.

In the meantime, the site remains down. How long does it take to replace a router and restore your geo-block?

2.29pm: So one theory is kids could have brought down the ABS.

The ABS says it was expecting a DDoS attack – they’re a normal part of doing business online the statisticians said, which makes you wonder why the confluence of failure was so easy.

But we thought we’d ask expert what’s going on, are they really that easy and why bother? Is it like parking a truck in someone’s driveway, which is what ABS head honcho David Kalisch likened it to?

The bigger worry, from what Dan Slattery, senior information security analyst at Webroot, told us, is that there’s been 14 separate data breaches at the ABS over the past three years.

Here’s what he said:

“DDoS attacks are reasonably easy to achieve, hackers can purchase botnet resources and point the distributed power of the compromised systems towards a specific server or website. These attacks are designed to disrupt access and bring a service offline. It isn’t designed to compromise data.

“There is speculation that the attack happened as a protest against the ABS’s decision to collect and save personally identifiable information alongside the census for the first time this year. There were worries that there may be a data breach and this information will become public or used for malicious purposes. The ABS have reported 14 separate data breaches since 2013.

“DDoS attacks are hard to stop, every server that is connected to the Internet is in some ways vulnerable. Government and financial sites are often a prime target of these attacks. The best way to mitigate the effectiveness of a DDoS attack is to plan ahead. It is important to have thorough estimates of the typical load on the servers and potential peak usage. Since the ABS was planning on most households filling out the census on the 9th August they would have planned for the potential of having millions of concurrent users.”

1.49pm: And the Nostradamus award goes to…

Glengyron for this tweet a week ago:

And an honourable mention goes to Roger Riordan of Hampton, whose letter to the editor was published in The Age last Thursday, concluding:

So I expect most eligible people will arrive home on the ninth, have dinner, then think “oh, the (expletive deleted) census”, and expect to be able to finish it before bedtime.

This could mean up to 10 million people trying to respond in one hour.

I predict total chaos, and as it will be too late to make other arrangements a very large number of people will say something like “To hell with that”, and go to bed.

1.44pm: So how’s that e-voting plan working out for you?

Remember how mad keen everyone was for online voting just a month ago, and angry they couldn’t do it for the last election? There’s a little bit of told-you-so from naysayers today, but the Australian Information Industry Association (AIIA) has put out a statement saying get on with the digitisation of government.

CEO Rob Fitzpatrick says going digital will save time and money.

“As the world transforms to be more digital, cyber security will be a major challenge for all governments and businesses. The Australian government should be commended for having already prioritised cyber security through its recent policy development and appointments,” he said.

“The most successful and innovative businesses learn from their setbacks and iterate and improve in future releases. We should expect the same from our government. Rather than calls to revert to the old way of doing something, such as going back to paper, we should be supporting our government to take stock, learn, make improvements, plug gaps, and do it better next time.”

1.32pm: Plants v Hackers

We love this story from News.com.au for this detail:

Data on government contracts reveal the Australian Bureau of Statistics (ABS) spent almost half a million dollars on pot plants last year, almost $100,000 more than testing the Census website for the entirely predictable onslaught of millions of people logging on simultaneously.

It was only two months ago that the ABS started pouring a few more dollars into the website.

Overall, the agency spent more on photocopying and, ironically given the alleged online attack, on antivirus software than the total amount spent on “load testing”.

12.50pm: It’s opposition leader Bill Shorten’s turn.

Predictably, it’s all about the “gold class incompetence” of the government and he wants a Senate inquiry.

“How can Australians trust the Government when they can’t even explain to them what’s gone wrong, why it has gone wrong?” Shorten says.

Perhaps because the government is still fighting the ABS over whether to call the suspected DDoS an attack or not.

12.32pm: The Herald had a chat to security adviser Troy Hunt about the DDoS.

He raised the point that has everyone wondering what the hell happened last night:

“[The ABS] must have really got to the end of their tether to say ‘Let’s just pull the plug,’ ” Hunt said.

“But that begs the question: what is their underlying architecture? It feels like they didn’t architect the system with the expectation of this kind of attack, which is odd because this is exactly the kind of thing you would expect.”

Of course they ABS said they did. But it fell over and for something as important as this, surely you plan redundancies so there’s a back up if things to go awry. Imagine if the ABS was an airline…

12.15pm: University of NSW academics from the Australian Centre for Cyber Security (ACCS) have chipped in on the issue, pointing the research paper they put out in May: “Australia’s Response to Advanced Technology Threats: An Agenda for the Next Government”.

The centre’s professor Greg Austin says cyber security is not cheap nor easy.

“There is room to question just how much the government is prepared to spend on this new challenge. If it is to spend more, we need to identify where that money needs to come from. Maybe we need some institutional innovation in the structures of government and a different conversation with the public about the threats,” he said.

More money? Scott Morrison will be delighted to hear it.

11.41am: Prime minister Malcolm Turnbull steps up to the plate, with treasurer Scott Morrison by his side. Let’s call this management escalation.

The PM is telling the nation how critical the census data is, urging all Australians to do their bit.

Anyone trying to make political capital out of this incident is working against the national interest, Turnbull says.

There’s going to be a review he says, adding that the ABS has an “unblemished record” on census data security.

The PM’s choice of words is interesting when he says “there was no penetration of the ABS website” in the [not] attack.

And the ABS was prepared, he argues.

“The site was scaled for mass participation,” the PM said.

But we’ve just done the maths on this and reckon it doesn’t add up. Even if everyone used the site evenly between 5pm and midnight last night, that’s a maximum of 6.5 million forms – about half the number expected.

So what’s wrong with this picture about being ready for the numbers?

11.40am: Yes Jack, they had to bomb the village in order to save it:

And Patrick Gray from Risky Business makes these salient points:

We like this reply:

Gray continued:

11.15am: Spandas Lui at Lifehacker ponders whether something more sinister than a DDoS attack was going on, because nothing showed up on the radars of a bunch of security experts last night.

But she also points to a killer point in a News.com.au piece citing QUT privacy expert Professor Matthew Rimmer:

“I really question the wisdom of the claims by the ABS and the government that everything would be OK, that there would be absolute protection in relation to privacy and security when obviously they were painting a bullseye on their back making those sorts of claims. It underlines we need better privacy protection in an age of big data, cloud computing and hacking.”

Yep, they got shot up…

11am: Labor’s Andrew Leigh is ripping into the government over last night.

He’s been hounding them over the issue in the leadup to the census and now has a reload of fresh ammunition.

“This has been the worst-run Census in Australian history,” he says.

“The Turnbull government is answerable for what happened last night.”

Three ministers were in charge of the census over the past year. The current minister, Michael McCormack, has been in the job for three weeks.

“Even if no data has been lost, a huge amount of time has been wasted,” Leigh says.

10.50am: BI’s editor Paul Colgan explored the range of stuff ups overnight in this piece. The Herald’s economics correspondent, Peter Martin, has also let rip, calling the census problems “just the latest Bureau of Statistics bungle”

Here’s a sample:

“Reckless” doesn’t begin to describe the new culture at the top of the Bureau of Statistics.

Its most important product apart from the census is the monthly employment survey. Two years ago it decided to modernise. It moved much of it online, accepted a lower response rate and changed the months in which different questions were asked.

Against the advice of ABS veterans, it didn’t run a backup survey using the old system.

In August 2014 the number of Australians officially employed jumped an incredible 121,000. The next month, September, it dived 172,000, or it would have had the ABS not pleaded with users to ignore the seasonally adjusted numbers which it no longer trusted.

Ouch. Read the rest here.

10.41am: Nationals MP and the minister responsible for the census, Michael McCormack, is talking about what happened last night, along with ABS boss David Kalisch and the prime minister’s cyber security advisor, Alastair MacGibbon.

Apparently some of the tech failed, which then allowed the DoS attack. Apparently there were two attacks even before last night. But McCormack is not prepared to call it an attack.

“This was not an attack, nor was it a hack. It was an attempt to frustrate the collection of data,” the minister says.

The system was not compromised and no data was taken.

“The good thing is it was safeguarded. People’s information was protected. The good thing is that no data has been lost,” he said.

Alongside the DDoS attacks, the ABS experienced a hardware failure when a Tesltra router became overloaded, McCormack explains.

“The ABS was over-cautious” McCormack says, in order to secure the data. No data was lost and everything entered was preserved.

“There was no entry into the system.”

2.33 million forms were lodged before the shutdown.

System could cope with the traffic flow, the minister says, with a peak submission rate was 153 forms per second – under 260 per second capacity.

ABS chief statistician David Kalisch says a geo-blocking service “fell over” to stop the DoS attack.

Most of the DDoS attack was coming from the USA.

“The attack was no more significant than we normally see,” he says.

It’s normal, but “a series events, that only by lining them up, end on end, led to the unfortunate incident last night,” Kalisch says.

“It’s equivalent of me parking a truck across your driveway,” Kalisch explains, offering a metaphor for the DoS.

The Australian Signals Directorate is busy figuring out what’s going on.

Alastair MacGibbon, the PM’s advisor on cyber security says the night “ended up a draw”.

“They managed to tip over some systems. The ABS made a decision to turn that website off in order to ensure that the data wasn’t compromised,” he said.

10.04am:

Australian Privacy Commissioner Timothy Pilgrim, who’s also the acting Australian Information Commissioner, has issued a statement saying he’s investigating what happened. Here’s what he said:

I am aware of the denial of service attacks on the Census 2016 website last night and my staff have been in contact with ABS this morning.

Based on these reports I am commencing an investigation of the Australian Bureau of Statistics (ABS) in regards to these cyber attacks, under the Australian Privacy Act 1988. My first priority is to ensure that no personal information has been compromised as a result of these attacks.

ABS have confirmed that a decision was taken last night to shut down the website in order to protect personal data.

Yesterday I noted that the Office of the Australian Information Commissioner has been briefed by the ABS on the privacy protections put in place for the Census. My office will continue to work with the ABS to ensure they are taking appropriate steps to protect the personal information collected through the Census.

9.53am: The ABS promised an update at 9am. They’re a little behind schedule, but the news is not good at this point:

NOW READ: DISASTER: The fallout from Australia’s spectacular census failure will be felt for years

NOW WATCH: Briefing videos

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.