I agree that there will be information that needs to be readily accessible and as such may not be encrypted (but should be well secured by good security eg password access, 2 factor authentication, firewalls, and similar) but 19 years of data is somewhat less excusable. In some of my work areas data that didn’t require immediate access needed an appropriate authorisation and then the data was retrieved from offline storage and made available. Once the data was no longer needed it was scrubbed from the live systems and again resided on offline storage.
Even if they decided to store historical data in live systems, they should have had systems in place that made that data unreadable unless the correct authorisation was input to decrypt the data. That would/should entail that the authorisation was not stored in such a way that it could be accessed from the same live system. Air gap and/or even SDP is highly recommended and Air gapping perhaps should be required for the password/phrase storage .
Some businesses store some data in hash & salted form so things like passwords are very difficult to crack and then they encrypt the other data so that the only way to gain access to the reversible data is by use of the secured password/passphrase. Keyloggers or other measures may have been put in place to get the access credentials but regular and thorough checks and audits of systems and access should have been undertaken to reduce this threat to an absolute minimum and to ensure if breached that the breach was quickly detected.
In the ANU breach (unfortunately similar to many others) the breach occurred well into the past and was only detected 2 weeks ago. Sorry this is not good security from such a “elite” education facility and one that should employ very competent IT security staff, it might be excused somewhat in a less well resourced business but this not some novice organisation. The statements attributed to the Vice Chancellor Professor Schmidt do not inspire me that sufficient regard was made previously to the need to proactively secure the data ie “The university has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion,” he said.
“The chief information security officer will be issuing advice shortly on measures we can all take to better protect our systems, and I strongly encourage you all to implement those measures.” (why wasn’t this addressed long ago)
“I assure you we are taking this incident extremely seriously and we are doing all we can to improve the digital safety of our community. We are all affected by this and it is important we look after one another as our community comes to terms with the impact of this breach.” (they should be taking it seriously but I guess they have to make the statement in case people don’t understand that they do take it seriously because they got breached some time ago and only just found out)
The horse has bolted so now they secure the gate…too late…