The University of Western Australia has disclosed it has been the victim of a data breach after access credentials for its Callista database were accidentally shared online.
“The University of Western Australia recently identified a security vulnerability that has exposed access to a subset of student profile information,” a university spokesperson told Cyber Daily.
“Following identification of an incidence of unauthorised external access to the Callista database, the university’s Student Information Management System, UWA IT immediately took steps to secure the system and removed the vulnerability.
“Personal data belonging to current students and some recent graduates and prospective students was involved, including name, student ID, date of birth (day and month only), phone number, personal email address, postcode and enrolment status.”
The university has also published an advisory on its website, which explains how the incident occurred.
“System access credentials were unintentionally exposed online, creating the pathway for potential unauthorised access,” the university said.
So far, the University of Western Australia has found no evidence that data has been used maliciously, but it is recommending that students remain vigilant.
“No other information or documents, including financial details, were accessed, compromised or involved in this incident,” the university said.
“No disruption to or resetting of UWA accounts has been required, and all other university-wide learning and teaching systems remain unaffected.
“The university has apologised for any concern or inconvenience this incident may have caused and will conduct a review to guide further strengthening of its cyber defences and processes in response to this incident.”
This is the second data breach suffered by the University of Western Australia in six months. The university had to reset the passwords of students and staff alike following a cyber attack in August 2025.
The university was also targeted in 2022, which led to a 22-year-old Perth man being charged with one count of unlawfully using a computer and gaining or intending to gain a benefit after he allegedly hacked the university.
That breach compromised names, home addresses, email addresses, phone numbers, emergency contact details, birth dates, student IDs and photos, course details, birth country, and citizenship status.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.