Western Sydney University hit with second cyber security breach

Western Sydney University's Kingswood campus. Photo: Megan Dunn.
Share this story

Western Sydney University has today issued a public notification after a University IT account was compromised, which provided a perpetrator with unauthorised access to some data from the Student Management System and other back-end data storage systems including the Data Warehouse.

This public notification is for a separate to the previous cyber incident impacting the university earlier this year.

Vice-Chancellor and President, Distinguished Professor George Williams AO, said: “On behalf of the University, I unreservedly apologise for this incident and the impact it is having on our community. We are committed to supporting our students, staff and stakeholders, and have several support services in place.”

The University has drawn the public notification to the attention of its former and current students and staff of the University, The College and The International College, and staff of Early Learning Ltd.

The University has undertaken preliminary analysis on the impact of the unauthorised access and can confirm the following:

• From August 14, 2024, the perpetrator gained access to some data from the Student Management System and other back-end data storage systems including the Data Warehouse.

• On August 27 2024, the University detected the unauthorised access and took immediate steps to protect our network in response.

• On August 21 2024, the unauthorised access was contained.

• On October 1 2024, the University’s investigation confirmed that personal information was accessed.

• As of October 31 2024, the investigation has confirmed names, addresses, University-issued email addresses, student identification numbers, tuition fee information (including fees deferred to HELP/HECS), student admission and enrolment data (including subject, results and progression information), and student demographic data (including nationality, Indigenous status, country of birth, citizenship status, gender and date of birth) were accessed.

• As this investigation progresses, additional personal information may be found to have been accessed.

• There is no evidence to date that student records have been altered.

The University has not received any threats to disclose private information or demands in exchange for maintaining privacy. The University has dark web monitoring in place and there is no evidence to date that the data has been uploaded.

The University’s investigation to date indicates the perpetrator has used sophisticated techniques to gain unauthorised access in a targeted, persistent and sustained manner.

The University continues to uplift its cyber security protections in response to this incident and the incidents of unauthorised access the University became aware of earlier this year. The University’s ongoing remediation work includes, but is not limited to:

• Ongoing password resets.
• Enhancing detection and implementing 24/7 monitoring capabilities.
• Implementing additional firewall protection.
• Increasing our cyber security team capacity.

Students and staff are advised that there may be some ongoing disruption to the IT network as the University continues to uplift its cyber security protections. The University is not in a position to provide any further specific information about its remediation efforts to protect the ongoing security of its system.

The University is working with cyber security experts and relevant authorities across Government, including the National Office of Cyber Security, Australian Federal Police, the Australian Signals Directorate’s Australian Cyber Security Centre, and the NSW Information and Privacy Commission (IPC). The NSW Police Force’s Cybercrime Squad is also conducting an active investigation.

To protect University staff, students and stakeholders, the University sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data that is the subject of the cyber incidents notified this year. This interim injunction has been extended to include the data accessed in this breach.

Students, staff and alumni have received information today about the support services made available to them by the University. IDCARE has been engaged by the University to provide free advice and support to people who may have questions about how to protect themselves when identity information may have been compromised.

If members of the University’s community have been impacted by previous cyber incidents, they should take additional steps to protect their personal information. In this case, they should let IDCARE know so they can receive the most appropriate advice.

The public notification and more information about the University’s support services are available at http://www.westernsydney.edu.au/publicnotification.

As there are ongoing investigations, including by NSW Police, the University is unable to comment any further at this point.

Weekender Newsroom

This post has been published by the team in our newsroom.


Share this story