On 6th October, thousands of Western Sydney University (WSU) students were informed via email that their degrees were “not legitimate”.

The email said that “Following a thorough review, the decision has been made to permanently exclude you from any further study at Western Sydney University. As a result, any existing certificates or awards previously issued to you are hereby revoked.”

The email was also addressed to alumni, including students who had graduated many years ago.

Students later received an email from “Parking compliance, campus safety and security” alerting them of a security breach that hacked into their emails. This was an extensive statement on WSU’s weak security system.

Both emails had been sent by a no-reply address using the WSU domain.

A student who wrote online about the emails said “I was a student for not even a full semester back in 2012 and the email I got included my full name and my student number.”

A prospective WSU student said online that “knowing my information is at risk is actually a pretty strong deterrent to apply [sic].”

WSU Vice Chancellor George Williams sent students an email on 7th October confirming that the administration is investigating the data breach and assuring affected students that their enrolments were unchanged.

“We are actively investigating this matter and taking steps to contain and address the issue. NSW Police are also investigating the matter,” Williams said.

“In the meantime, we strongly advise you not to respond to these emails or click on any links they may contain.”

This data breach follows the arrest of a former WSU student in June for allegedly hacking into the WSU servers. The student allegedly changed her own grades and then downloaded personal information of other students and threatened to sell it on the dark web.

That breach escalated to an alleged $40,000 ransom being held in November 2024, before the student was arrested this year and charged with 21 offences.

Under Australian privacy law, it is illegal to fraudulently access people’s emails and send them under a false identity. WSU could be liable for failing to protect its students’ privacy and security.