Last night’s Census lived up to its most popular hashtag of #CensusFail, with the online portal shutting down at 7:55pm. The Australian Bureau of Statistics confirmed at 11:00pm that the website would continue to stay down until today, and now the reason has been given — the site received no less than four denial of service (DDoS) attacks by overseas hackers, according to the ABS.
This story was originally titled “The Australian Census Website Didn’t Just Crash, It Was Hacked” based on the early information we had. It has since been updated since the “hacks” were claimed to be DDoS attacks. – Rae
[related title=”More Stories on the Census” tag=”Census” items=”2″]
The security of the Census has been at the forefront of conversation since it was revealed that names and addresses would be retained. With the ABS having no less than 14 data breaches since 2013, security experts, lawyers and politicians have all been calling for a boycott in order to protect citizen’s private information.
In a tweet this morning the ABC‘s Shelley Lloyd confirmed the Census website didn’t simply buckle under the weight of Australia’s population attempting to log on all at once.
#BREAKING – The ABS reveals its website was attacked by overseas hackers which caused it to crash during last night’s census. @ABCNews
— Shelley Lloyd (@shelleymlloyd) August 9, 2016
The Australian Bureau of Statistics says overseas hackers were the cause of the crash, in what the department believes is a deliberate attack on the Census, rather than the result of millions of Australians trying to log on at the same time. The site was load tested, after all, at a cost of almost $500,000 — and received a glowing review from ABS’s technical director “John Citizen”.
ROFL. This is actually a real thing on the website of the firm that load tested the Census https://t.co/s3pibOJtCz pic.twitter.com/ZHbxaZ2R94
— Ben Grubb (@bengrubb) August 9, 2016
David Kalisch from ABS said the Australian Signals Directorate are investigating, and while it is “very difficult” to source the attack (since most DDoS attacks are produced by thousands of bots from IPs globally), it it believed to have come from “overseas.”
“The online census form was subject to four denial of service attacks yesterday,” David Kalisch told the ABC. “The first three caused minor disruption, but more than two million forms were successfully submitted and safely stored.”
The DDoS digital attack map shows no attacks on Australia.
This is the DDOS for yesterday (site is US-based hence date). Brazil obviously, usual Asia/Europe/US. pic.twitter.com/VgOgF7VEBM
— Gordy irl (@GordyPls) August 9, 2016
Police have just released this image of the person(s) behind the #Census2016 attacks. pic.twitter.com/C9YfKmWJNI
— Nathan Cocks (@ElPrezAU) August 9, 2016
Kalisch confirmed “steps have been taken overnight” to ensure the safety of data already provided. You can find out more about the safety of your data here.
We apologise for the inconvenience. The 2016 online Census form was subject to four Denial of Service attacks of varying nature & severity.
— Census Australia (@ABSCensus) August 9, 2016
The first three caused minor disruption but more than 2 million Census forms were successfully submitted and safely stored.
— Census Australia (@ABSCensus) August 9, 2016
After the fourth attack, just after 7:30pm, the ABS took the precaution of closing down the system to ensure the integrity of the data.
— Census Australia (@ABSCensus) August 9, 2016
Steps have been taken during the night to remedy these issues, and we can reassure Australians that their data are secure at the ABS.
— Census Australia (@ABSCensus) August 9, 2016
An update from the ABS was expected at 9am, and it came at 9:53:
We’re working to restore the service. We’ll keep you updated.
— Census Australia (@ABSCensus) August 9, 2016
Shortly after a statement was received from the Acting Australian Information Commissioner, Timothy Pilgrim , saying he is opening an investigation into the “cyber attacks”.
At 10:40 MP Michael McCormack spoke to the media alongside the ABS’ David Kalisch and Alastair MacGibbon, PM Malcom Turnbull’s “cyber security advisor”.
Going back on statements released this morning, McCormick is now adamant this is not an “attack”. In fact, he says, it all started when a router failed. “This was not an attack, nor was it a hack. It was an attempt to frustrate the collection of data,” McCormack said, reiterating that no data was breached.
Explaining why the site was shut down, McCormack says the ABS was simply being “over-cautious” and the system could cope with the traffic flow, the minister says, with a peak submission rate was 153 forms per second — under 260 per second capacity.
David Kalisch didn’t get the memo about not calling it an “attack” as he launched into explaining that a geo-blocking service “fell over” to stop the DDoS attack, which has been pinpointed as mostly coming from the USA.
“The attack was no more significant than we normally see,” he said, stating it was “a series of events, that only by lining them up, end on end, led to the unfortunate incident last night”.
He described it as “the equivalent of me parking a truck across your driveway.”
At 11:40 Prime Minister Malcolm Turnbull and Treasurer Scott Morrison spoke to the media, and after emphasising the importance of the Census, hoped to rule out speculation it could have been the collective population of the country putting the site under strain as opposed to overseas attackers — wait — not attackers. “The site was scaled for mass participation,” Turnball said.
We will keep you updated as more information comes to light.