Western Sydney University hit by cyber attack

Western Sydney University has issued a significant update regarding a cybersecurity breach that compromised personal data belonging to students, staff, and alumni. The institution is now actively informing affected individuals and outlining protective measures they should take.

Distinguished Professor George Williams AO, the Vice-Chancellor and President, expressed his regret over the situation. “I sincerely apologize for the distress this incident is causing,” he stated. “Our commitment remains firm in resolving this matter and providing robust support to everyone involved.” He confirmed the university is collaborating closely with the NSW Police Force Cybercrime Squad’s Strike Force Docker and is intensifying efforts to enhance its digital security framework. A former student was arrested and formally charged in connection with the incident on June 25, 2025.

Despite this law enforcement action, attempts to infiltrate the university’s systems have persisted. These ongoing attacks have also targeted external IT service providers that work with the university. Recent developments indicate these incidents are deliberately aimed at causing harm to the university community.

The breach was first detected through two separate instances of unusual activity on August 6 and August 11, 2025. This activity occurred within the university’s Student Management System, which is hosted by a third-party provider on a cloud platform. An immediate investigation was launched, and access to the platform was shut down. The probe confirmed that unauthorized access was gained via a linked external system during the period from June 19 to September 3, 2025. This unauthorized entry through third and fourth-party systems allowed personal information to be accessed and extracted from the Student Management System. Investigations have verified that fraudulent emails sent to some community members on October 6, 2025, utilized data stolen in this breach.

Upon discovery, the university promptly reported the incident to NSW Police and relevant regulatory bodies. At the request of the police, public notification was delayed to avoid compromising their investigative efforts. Police have now authorized the release of today’s notification, which is directed at offer recipients, former and current students and staff of the University, The College, The International College, and staff of Early Learning Ltd.

The compromised personal information is extensive and includes:

• Contact details such as address, email, and phone number
• Full name, date of birth, and student or staff identification numbers
• Country of birth, nationality, citizenship, and gender or identity information
• Ethnicity
• Employment and payroll details
• Bank account information
• Tax file number
• Driver licence details
• Passport information
• Visa documentation
• Complaint or case information
• Health and disability records
• Legal information

Individual notifications are currently being dispatched to those impacted. Some communications will also reference personal information affected by prior incidents, identified through the university’s continuous investigative work. The institution strongly urges all students, staff, and alumni who receive these notifications to follow the recommended protective actions, even if they have taken previous steps, and to utilize the available support services.

An interim injunction from the NSW Supreme Court remains in effect, prohibiting the transmission, publication, or use of any information or material that was obtained without authorization from the university’s IT systems and network by the former student.

(Source: ITWire Australia)