We outlined numerous privacy concerns with the 2016 Australian census recently.  These concerns included the change to compulsory names and addresses, and the potential problems with online collection of highly personal data. Last night was census night, 9 August 2016, and we saw the Australian census fail.

In fact, census night was an utter disaster.  The site was non-responsive for thousands, possibly millions, and was eventually shut down. It is still unavailable at the time of writing.

The Australian Bureau of Statistics (ABS) is blaming the outage on hackers conducting denial-of-service attacks (DOS). This occurs when attackers flood the target machine with requests, overloading it and preventing access by legitimate users.

A DOS attack is certainly a possibility – it must be considered by all high profile websites, and prevention measures put in place. There is no evidence that an attack occurred though.

Given that millions of Australians were trying to enter their census information on the census night (probably simultaneously), it is likely that the site was simply overloaded by legitimate users. It is not easy to develop a site that is scalable to this many users, and it seems likely that the ABS’s load testing was inadequate.

Whatever the scenario, it seems that the ABS was inadequately prepared for conducting an online census. Given the attraction so much personal data would have for cyber-attackers, let’s hope that the site’s security (a separate issue to scalability) is up to the task. As noted in our previous post, the signs in this area are not very positive either.  If a data breach does occur, having names and addresses present means almost every Australian’s personal details will be in the public domain, creating a privacy nightmare.