The census website was shut down after being attacked by foreign hackers, the Australian Bureau of Statistics says.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
The privacy commissioner is investigating the ABS over the reported cyber attacks that forced the Bureau to close down its site on census night on Tuesday.
It was an attack, and we believe from overseas ... It was quite clear it was malicious," chief statistician David Kalisch told ABC radio on Wednesday.
The census was targeted by four denial of service (DoS) attacks, Mr Kalisch said. A DoS is a broad term for attacks that attempt to crash an online system so that users are unable to access it.
The first three caused minor disruptions and did not stop more than 2 million census forms from being "successfully submitted and safely stored", he said.
But the site was shut down after a "gap" in the system's security measures was found during a fourth attack, Mr Kalisch said.
"After the fourth attack, which took place just after 7.30pm [on Tuesday AEST], the ABS took the precaution of closing down the system to ensure the integrity of the data.
"I can certainly reassure Australians the data they provided is safe," Mr Kalisch said.
In a press conference on Wednesday, Mr Kalisch described a "confluence of events" that caused the fiasco: the system's geo-blocking protection was not working effectively, a hardware router failed, and a monitoring system "threw up queries we needed to investigate".
The minister responsible for the census, Michael McCormack, said the ABS was "overcautious" in shutting the site down after a router became overloaded during the fourth disruption.
"The good news is the firewalls help up," the minister said.
Despite Mr Kalisch's earlier comments, Mr McCormack said it was "not an attack ... not a hack", but an attempt to frustrate the process.
Australian Signals Directorate - an intelligence agency within the Australian Department of Defence - is investigating, but had indicated it would be very difficult to find the source of the attack.
ABS 'not prepared' for attack a child could pull off
IT and cybersecurity experts have speculated that a DDoS (Distributed Denial of Service) attack was to blame. A DDoS is a type of DoS attack in which hackers attempt to crash a system by flooding it with bots - or Trojan - accounts.
"What is surprising is that they weren't resilient. With a massive system like this ... this is what you should expect," security adviserTroy Hunt told Fairfax Media.
"Many times it's literally just children mounting these attacks," he said.
"It [raises] the question of what DDoS mitigation they had in place. Because it clearly didn't work."
Hunt said he "really highly doubts" the involvement of anyone outside Australia.
A handful of Twitter users from the IT crowd pointed to digital attack maps that showed no DDoS activity in Australia on Tuesday.
How census night unfolded
The bureau had dismissed suggestions an overload could cause the system to crash earlier in the day.
But as an estimated 16 million people logged on to the census website on Tuesday night, they were met with error messages and told the system was "overloaded" before the website crashed.
The troubles began about 5pm on Tuesday, when people trying to access the form were stopped by messages including a "code 31" error, which said the request "could not be completed because a problem was encountered".
The frequency increased as the evening neared and many Australians trying to reach the census site after 7pm couldn't connect.
Over the past 24 hours, #censusfail had amassed more than 80,000 tweets. The tweets peaked about 9.30pm on Tuesday, hovering about 300 tweets a minute.
The ABS had shut down the site at 7.45pm, the bureau said.
But the bureau did not release a statement advising the website was unavailable until about 11.30pm. Earlier advise from the ABS was that they were "experiencing an outage".
The ABS chief said he believed the details of people - including Prime Minister Malcolm Turnbull - who had successfully accessed the site were secure.
"Steps have been taken during the night to remedy these issues and I can certainly reassure Australians that the data they provided is safe," Mr Kalisch said.
Mr Kalisch said he expected the site would be back online about 9am on Wednesday. However, by 10am the site still was not back up.
The minister responsible for managing the census, Michael McCormack, will hold a press conference in Canberra on Wednesday morning.
Australians who failed to fill out the census because of the website outage will not be fined, and have until September 23 to complete the survey, the federal government says.
Boycott justified?
The census was plagued by a growing boycott over fears of potential privacy breaches.
Asked if the debacle confirmed fears over the security of the information, Mr Kaslisch said: "If anything, it actually confirms the strong position that the ABS has taken in terms of security the integrity of the data."
"The data that comes to ABS is encrypted and it was secured and received safely at the ABS ... we have it at the ABS no one else has it," he said.
The ABS controversially switched to an opt-out online format this year and moved to store personal data for four years rather than 18 months.
Although the names will be destroyed after those four years, the ABS created linkage keys that link names to other data it collects, which will be kept indefinitely.
However, the ABS says that staff cannot get back to the name, once it is destroyed, from the other data via the key.
The census was delivered by technology company IBM using its Australian SoftLayer cloud. Figures from the Australian government's procurement agency AusTender show IBM was paid more than $9.6 million in 2014 to design, develop and implement the "eCensus".
Melbourne-based company Revolution IT was also paid $378,332 for IT consulting and 'load testing' on the census and agricultural census. 'Load testing' is a process intended to ensure a website can handle a high volume of simultaneous users without crashing.
Privacy Commissioner investigates
Australian privacy commissioner Timothy Pilgrim will investigate the ABS over cyber attacks that threatened the census.
"Based on these reports, I am commencing an investigation of the Australian Bureau of Statistics in regards to these cyber attacks, under the Australian Privacy Act 1988," Mr Pilgrim said in a statement.
"My first priority is to ensure that no personal information has been compromised as a result of these attacks," he said.
The commissioner said his office was briefed by the ABS on the privacy protections in place for the census.
"My office will continue to work with the ABS to ensure they are taking appropriate steps to protect the personal information collected through the census," he said.
'Worst-handled census in history'
Independent senator Nick Xenophon, who had refused to put his name to the census, questioned how the public could still trust the ABS and its privacy assurances.
He demanded the agency explain where the attack came from and whether it really was an attempted hack or just a system overload.
"I think they need to fess up," he told ABC radio, demanding a Senate inquiry.
Labor stopped short of calling for Mr McCormack, to resign. Shadow assistant treasurer Andrew Leigh told Fairfax Media there should be "a full reckoning" in the form of an inquiry.
"We need an open and transparent inquiry as to what went wrong in the 2016 census, which looks to be the worst-handled census in Australian history," he said.
Dr Leigh said the Turnbull government had taken a "hands-off approach" to the census, including appointing three different ministers over 12 months, and could not "palm off" responsibility for the failure on to ABS bureaucrats.
No matter what happens next, he suggested the value of the census had been gutted because it had failed to take a "snapshot" of the country on the night of August 9.
"The quality of the data for the 2016 census has clearly been compromised," Dr Leigh said. "That's because we haven't got the high on the night response rate that we've seen in previous censuses."
With Michael Koziol, Georgina Mitchell and AAP.