Western Sydney University (WSU) has alerted 10,000 students impacted by a mass data breach through the university’s single sign-on (SSO) system between 28th January and 25th February, 2025.
On Tuesday 15th April, the university sent individual notifications to both current and former students whose personal information was accessed by hackers in the cyber attack.
The breached data includes students’ personal demographic, enrolment, and progression information.
The NSW Police Force’s Cybercrime Squad is conducting an ongoing investigation into the extent of the damage.
WSU became aware of potential unauthorised access on 8th February and implemented immediate protective measures with both internal and third-party teams. This includes password resets and additional monitoring and detection tools.
Over the past year, the university alluded to major investments to uplift their cyber capabilities.
The university has not announced plans to move away from their current SSO system.
The breach follows a separate incident on Monday 24th March when the university discovered a dark web post containing similar personal information during their routine cybersecurity monitoring. The post was created on 1st November 2024 and is also undergoing investigation.
NSW Supreme Court granted an interim injunction to prevent access, use, transmission, and publication of data associated with the post.
In a response to the community, Vice-Chancellor George Williams AO has referred to this pattern as a series of “persistent targeted attacks on our network”.
Professor Williams said, “The higher education sector is increasingly the target of cyber attacks and Western Sydney University is not immune to this evolving threat landscape.” He added, “We ask our community to stay vigilant (and) remain alert.”
Due to ongoing investigations by NSW Police, WSU was unable to provide further comment.
