The ABS Says The Census Website Was DDoS Attacked

The ABS Says The Census Website Was DDoS Attacked

Last night’s Census lived up to its most popular hashtag of #CensusFail, with the online portal shutting down at 7:55pm. The Australian Bureau of Statistics confirmed at 11:00pm that the website would continue to stay down until today, and now the reason has been given — the site received no less than four denial of service (DDoS) attacks by overseas hackers, according to the ABS.

This story was originally titled “The Australian Census Website Didn’t Just Crash, It Was Hacked” based on the early information we had. It has since been updated since the “hacks” were claimed to be DDoS attacks. – Rae

[related title=”More Stories on the Census” tag=”Census” items=”2″]
The security of the Census has been at the forefront of conversation since it was revealed that names and addresses would be retained. With the ABS having no less than 14 data breaches since 2013, security experts, lawyers and politicians have all been calling for a boycott in order to protect citizen’s private information.

In a tweet this morning the ABC‘s Shelley Lloyd confirmed the Census website didn’t simply buckle under the weight of Australia’s population attempting to log on all at once.

The Australian Bureau of Statistics says overseas hackers were the cause of the crash, in what the department believes is a deliberate attack on the Census, rather than the result of millions of Australians trying to log on at the same time. The site was load tested, after all, at a cost of almost $500,000 — and received a glowing review from ABS’s technical director “John Citizen”.

David Kalisch from ABS said the Australian Signals Directorate are investigating, and while it is “very difficult” to source the attack (since most DDoS attacks are produced by thousands of bots from IPs globally), it it believed to have come from “overseas.”

“The online census form was subject to four denial of service attacks yesterday,” David Kalisch told the ABC. “The first three caused minor disruption, but more than two million forms were successfully submitted and safely stored.”

The DDoS digital attack map shows no attacks on Australia.

Kalisch confirmed “steps have been taken overnight” to ensure the safety of data already provided. You can find out more about the safety of your data here.

An update from the ABS was expected at 9am, and it came at 9:53:

Shortly after a statement was received from the Acting Australian Information Commissioner, Timothy Pilgrim , saying he is opening an investigation into the “cyber attacks”.

At 10:40 MP Michael McCormack spoke to the media alongside the ABS’ David Kalisch and Alastair MacGibbon, PM Malcom Turnbull’s “cyber security advisor”.

Going back on statements released this morning, McCormick is now adamant this is not an “attack”. In fact, he says, it all started when a router failed. “This was not an attack, nor was it a hack. It was an attempt to frustrate the collection of data,” McCormack said, reiterating that no data was breached.

Explaining why the site was shut down, McCormack says the ABS was simply being “over-cautious” and the system could cope with the traffic flow, the minister says, with a peak submission rate was 153 forms per second — under 260 per second capacity.

David Kalisch didn’t get the memo about not calling it an “attack” as he launched into explaining that a geo-blocking service “fell over” to stop the DDoS attack, which has been pinpointed as mostly coming from the USA.

“The attack was no more significant than we normally see,” he said, stating it was “a series of events, that only by lining them up, end on end, led to the unfortunate incident last night”.

He described it as “the equivalent of me parking a truck across your driveway.”

At 11:40 Prime Minister Malcolm Turnbull and Treasurer Scott Morrison spoke to the media, and after emphasising the importance of the Census, hoped to rule out speculation it could have been the collective population of the country putting the site under strain as opposed to overseas attackers — wait — not attackers. “The site was scaled for mass participation,” Turnball said.

We will keep you updated as more information comes to light.