Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The besieged university has advised its community of data breaches linked to “unusual activity” in August, and that passport data, bank details, and health information were compromised.
Western Sydney University has advised its staff and students that it has suffered another data breach as part of what it calls a series of incidents “intended to harm our community”.
The university detected and began investigating “two instances of unusual activity” on 6 and 11 August this year, impacting the university’s Student Management System, which is hosted by a third-party provider on a cloud-based platform.
“I want to again apologise for the impact this is having, and give you my assurance that we are doing everything we can to rectify this issue and support our community,” the university’s vice-chancellor and president, Distinguished Professor George Williams AO, said in a 23 October statement.
“This starts with working closely with NSW Police Force Cybercrime Squad’s Strike Force Docker and includes our ongoing efforts to strengthen our cyber security. On 25 June 2025, NSW Police arrested and charged a former student of the university.
“Despite this, attempts to gain unauthorised access to our systems have continued, including via external parties that supply IT services to the university.
“In recent weeks, it has become clear that these incidents are intended to harm our community.
“We encourage all students, staff and alumni who receive notifications to take the recommended actions, regardless of steps taken in the past, and to use the support services available.”
The university said the threat actor had access to an external system between 19 June and 23 September 2025. This incident, and the data exfiltrated, was linked to a series of fraudulent emails recently sent to students and alumni.
“Unauthorised entry through these third and fourth party systems enabled personal information to be accessed and exfiltrated from the university’s Student Management System,” the university said.
“The university’s investigations confirm that the fraudulent emails which were sent to some community members on 6 October 2025 used data stolen in this incident. “
The personal data impacted by this latest incident includes:
“Individual notifications are already being distributed to those impacted by this incident,” the university said.
“Some notifications will include personal information impacted through previous incidents, identified through ongoing investigations.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
