The Queensland University of Technology (QUT) has admitted it has no way of knowing if some of the highly sensitive data of more than 11,000 current and former staff and students has been sold after its shared drive was hacked.
Hackers accessed nearly 4,000 tax file numbers as well as bank accounts, super details, home addresses and more in the December cyber attack.
A ransom was demanded in letters that were spat out of university printers, but it was never paid and systems are now back online.
Months of worry
Data scientist Smitha Mandre-Jackson is a former QUT staff member of 18 years whose tax file number, home address, bank account details and super details were stolen.
She feared her details could be made public by hackers and immediately appreciated the gravity of the situation.
"Once your identity goes, it's very, very serious," she said.
Ms Mandre-Jackson said it cost thousands of dollars and hours of time to replace devices, increase security at her family home and secure account details which had taken an emotional toll on her husband and children.
"I'm feeling emotionally drained ... we couldn't be a family. It was just a huge impact," she said.
She said household devices had also received suspicious messages and unsolicited porn, but it was unclear whether those were directly linked to the hack.
Some hacked data sold
Vice Chancellor Margaret Sheil said the university has stringent cyber security measures, and had become aware of the attack before the hackers sent letters from the university printers.
"They were blocked out immediately and we shut off that particular means by which they were able to access the system," she said.
Since the event technology bloggers have reported that 10 per cent of the data accessed was sold, but Professor Shiel says the university had no way of verifying that.
"We don't have any evidence the information was used in any way," she said.
"Phone numbers are very accessible in a whole range of ways, not necessarily through this incident.
"I describe it as the physical equivalent of some criminals putting their hand through a louvre window, and they just happened to pick some stuff off the shelf in the bathroom.
"It doesn't diminish the impact of what was lost, but it's a crime," she said.
The ABC understands some former staff caught up in the breach worked at the university more than a decade ago.
While Professor Shiel insisted it was not a privacy breach to keep highly personal data on file for that long, she said the university was reviewing its management of records.
'They've lost control of the data'
Perth-based cyber security expert Professor Paul Haskell-Dowland said the risk of identity theft would continue well beyond the initial attack.
"If the data has been extracted from the organisation, you've effectively lost control of it," he said.
"So while you may be able to recover your systems and continue to conduct your business, the data that was potentially taken by the criminals, is likely being stored by them, and potentially could be reused in future campaigns."
Professor Haskell-Dowland said it was concerning so many tax file numbers were accessed.
"It's quite possible that a much larger identity fraud could be conducted using this TFN data coupled with other information they can scrape together from other sources."
He said the QUT hack was one of many high profile ransomware attacks which will inform and improve government responses to cyber crime.
"I think as we see more and more of these particular occasions happening, we're likely to see an increased interest in compensation to individuals, as well as seeing the most significant changes to the legislation that enables significant penalties to be applied to the organisations."