The census wasn't hacked, but Australia still has a problem
The Australian Bureau of Statistics says widespread outages on the census website were due to four "malicious" DDoS attacks on launch day. It wasn't a full-blown hack, but the bureau still has a tough time ahead.
- Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
Coordinated attacks apparently overloaded government servers.
Australians complained of slow website load times and problems completing the census online, but the cause of #CensusFail may be something far more serious.
The Australian Bureau of Statistics said it was hit with a deliberate and "malicious" attack from offshore, designed to sabotage the 2016 Census.
The bureau had called on the whole of Australia to "go online on August 9" to complete the census, but it appears that call was heard overseas too. The site hosting the census faced four distributed denial-of-service (DDoS) attacks that day, according to the bureau.
DDoS attacks are designed to overload a server with massive amounts of irrelevant traffic, making it inaccessible to the intended users. In the case of the census website, it meant Australians were unable to load the website and submit their forms as required.
While the first three DDoS attacks only caused "minor disruptions," ABS head statistician David Kalisch said, the bureau made the decision to take the site down just after 7:30 p.m. that day after the fourth attack, to "ensure the integrity" of the data.
It's a massive blow for the bureau, which has been plagued with complaints over privacy concerns in its bid to retain name and address data for longer than ever before. It's also a major blow for the census itself, which was supposed to be completed online for the first time by the majority of Australians.
Australia's problems could be a taste of what governments worldwide will face as they shift more and more projects -- both minor and massive -- online. It also reinforces average citizens' concerns about the security, or lack thereof, of their personal information.
Kalisch told the Australian Broadcasting Corporation that the bureau believed the attack was a deliberate attempt to sabotage the census.
"The scale of the attack, it was quite clear it was malicious," he said.
The bureau's census account on Twitter tweeted at 8:30 p.m. that it was working to restore services, an hour after the whole site was taken offline. The team later advised that the site would be down for the rest of the night.
While the source of the attack is not yet clear, many outlets reported that the census was "hacked." But a DDoS attack is a different beast from an attempt to hack into a system to steal data -- a point that Kalisch was eager to make. DDoS attacks result in interrupted access, whereas hacks generally result in unauthorised access to information.
Media outlets ran with the story of a census hack, though technically it was a distributed denial-of-service attack.
"It was an attack, and we believe from overseas," he said. "The Australian Signals Directorate [is] investigating but ...did note that it was very difficult to source the attack."
Despite the outage, Kalisch said, "more than 2 million forms were successfully submitted and safely stored" despite the three early attacks.
"Steps have been taken during the night to remedy these issues and I can certainly reassure Australians that the data they provided is safe," said Kalisch.
But after struggling to allay public concerns over privacy, the bureau may once again be losing the battle to keep the public calm, with mainstream media already picking up the "hack" angle.
Regardless of the source of the attack, the bureau will need to move swiftly to reassure Australians that their data -- now paired to their name and address -- is safe.
One thing is clear. Census 2016 will certainly be remembered.