ABS blames DDoS attacks for census outage

The Australian Bureau of Statistics has blamed a series of DDoS attacks for the outage that left millions of Australians unable to complete this year’s census online.

On Twitter, the ABS revealed that it had shut down the system shortly after 7.30 pm on census night as a precautionary measure, following “four Denial of Service attacks of varying nature & severity”.

The bureau moved to ensure citizens that they will have until well into September to complete the process, and that no fines would be issued for completing the census after 9 August. More than 2 million census forms were successfully submitted prior to the outage, the ABS said.

But the government has been sending mixed messages as to whether or not there was an attack on the system.

ABS Chief Statistician David Kalisch told ABC NewsRadio this morning that there was an attack that was believed to be from overseas hackers, that appeared to be a deliberate attempt to sabotage the census. But census minister Michael McCormack has insisted that it was not an attack, while Malcolm Turnbull has attributed the outage to hardware failures.

“There were some failures in the equipment, frankly, hardware failures in some of the protections that were put in place, the so-called geoblocking protections and obviously that will be the subject of examination,” Turnbull said during a press conference. Experts have suggested that a faulty geoblocking implementation could be the root cause.

Webroot’s senior information security analyst Dan Slattery commented that a DDoS attack on the system is a plausible scenario.

“DDoS attacks are reasonably easy to achieve, hackers can purchase botnet resources and point the distributed power of the compromised systems towards a specific server or website. These attacks are designed to disrupt access and bring a service offline. It isn’t designed to compromise data,” he said.

“There is speculation that the attack happened as a protest against the ABS’s decision to collect and save personally identifiable information alongside the census for the first time this year. There were worries that there may be a data breach and this information will become public or used for malicious purposes. The ABS have reported 14 separate data breaches since 2013.”

Trend Micro Senior Architect Dr Jon Oliver meanwhile noted “the possibility that more sophisticated attackers were attempting to breach the systems under the cover of a straightforward DDOS attack. I agree with the ABS’s decision to close the site down after they had compelling evidence that these attacks were indeed happening.”

Privacy Commissioner Timothy Pilgrim has opened an investigation into the alleged attack under the Australian Privacy Act 1988.

“My first priority is to ensure that no personal information has been compromised as a result of these attacks,” he commented.

“Yesterday I noted that the Office of the Australian Information Commissioner has been briefed by the ABS on the privacy protections put in place for the census. My office will continue to work with the ABS to ensure they are taking appropriate steps to protect the personal information collected through the census.”

Kalisch has moved to quell concerns that the alleged attack has left Australians’ personal data exposed. “I can reassure Australians that their data are secure at the ABS,” he said in a statement.

But the high-profile outage has also added to the furore over the controversial decision to store the submitted data for four years.

In a media briefing, Leader of the Opposition Bill Shorten called on the government to reconsider this decision. He also slammed the Turnbull government for conducting the “worst-run census in the history of Australia” and called the process a “complete Turnbull train wreck”.

Independent senator Nick Xenophon has meanwhile called for a senate inquiry into the issue, while Greens senator Scott Ludlam has revealed that he will move parliament to prevent the ABS from fining Australians refusing to provide their names for the census.

“The ABS and the government have ignored expert warnings for months, acted dismissively over the concerns people raised and find themselves on the eve of the census facing widespread civil disobedience as people act to protect their own privacy,” he said.

“I also hope the government will be seeking a refund from the company that undertook load-testing on the ABS servers, which appear to have collapsed under the weight of people attempting to complete the document online.”

Prior to census day, the ABS had asserted that it had stress tested the online census system up to 150% capacity and that it was ready to handle the high volume of expected submissions.

Budget documents for the census website indicate that the ABS paid IBM Australia $9.6 million to design, develop and implement the eCensus system for 2016 and Australia’s Revolution IT $325,000 to provide census load testing. The ABS census site had a total budget for the year of $34 million.

Whatever the root cause, the smart money was on an outage to the census site occurring. Sportsbet revealed that it has paid out bets to 26 punters who had taken up a bet that the site would crash. The company initially offered odds of $1.87, but betting activity reduced this to $1.50 the day before polling began.

“Well the census amongst our punters was that the website was going to be chaotic and they’ve been proven right,” Sportsbet’s Will Byrne commented. “Hopefully they’ll get to keep their winnings and not have to fork out for not completing the survey in time!”

Image courtesy of Ruben Schade under CC