Was the 2016 Census Really Hacked or Attacked?
This year, for the first time, the ABS expected more than 60% of households to complete the census online, rather than using the traditional paper forms. Indeed, paper forms were no longer delivered to most homes.
The Census servers were hosted by IBM, and the system was sized to handle a peak load of one million form submissions per hour – double what the ABS expected would be needed. But given that a large majority of Australia’s 13 million Internet subscribers would all sit down to complete their census at around the same time on Tuesday evening, it appears the platform was woefully under-dimensioned.
As the evening wore on, social media channels began to buzz with complaints. Most Australians could not access the Census forms, instead receiving error messages stating that the system could not be reached, and to please try again later. Then at 7:30 pm, the ABS shut down the system.
In the days that followed, various conflicting theories and reasons for the outage were put forward by ABS executives and government ministers. The official line was that the site was closed as a precaution, to prevent theft of data resulting from a Distributed Denial of Service (DDOS) attack.
A DDoS attack is an attempt to make an online service unavailable, by overwhelming it with traffic from multiple sources. However, one website that tracks global DDoS attacks indicated no unusual activity at the time of the Census. And in any case, a DDOS attack can only prevent access to the system – it can’t hack or steal data.
Indeed, the minister responsible for the Census subsequently denied that the survey was hacked or attacked, despite public statements to the contrary from the Australian Bureau of Statistics. In a press conference the following morning, Small Business Minister Michael McCormack said, “This was not an attack, nor was it a hack.” But his comments contradict earlier tweets and a press from the ABS claiming there were four attacks.
While it’s possible the system did suffer a deliberate attack, there’s no clear evidence that this is the primary reason for the failure of the Census platform. Certainly, if undersized servers were already struggling to cope with the pressure caused by normal Australians filling out their forms, then even a weak DDoS might have tipped them over the edge.
However, the simplest explanation is usually the most likely. It’s more probable that the Census servers simply failed under the weight of millions of households attempting to access the system at the same time. In essence, regular Australians probably caused the Denial of Service themselves, simply because the platform was not adequately dimensioned to accommodate the peak traffic load.