Peter A Clarke

The University of Western Sydney has suffered a data breach involving the loss of data of 10,000 individuals. It has posted a statement today which reveals that on 24 March 2025 it became aware of a post on the dark web referring to information taken from the university. That was over 2 weeks ago. The post itself was dated 1 November 2024, over 5 months ago. The University’s statement follows the usual pattern in Australia of saying it notified the various authorities. It lists those authorities. What it hasn’t done is notify the 10,000 current and former students but “expects to” do so. It is a fairly average notice, far below that which one would expect of a large organisation. It says very little in a lot of words.  It concludes by stating “As this incident is subject to ongoing investigations, including by NSW Police, the University is unable to provide further comment.” That is complete nonsense.  The University is not legally precluded from making further comment.  No charges have been laid.  It is possible both not compromise any investigation and be more forthcoming.  It happens all the time.  It is quite a dishonest statement.  This poor approach by the University of Western Sydney can easily back fire if information appears from other sources, quite a common occurrence.  Given this is the second cyber breach in 12 months, with the first occurring in the middle of last year, there is clearly a systemic issue at the University of Western Sydney.

Universities are regularly and, depressingly, successfully attacked by hackers. I posted on a data breach at Griffith University earlier this month, at QUT in 2023, at the University of Western Australia in August 2022, Deakin University in July 2022, University of Tasmania in 2020, the ACU in 2019 and the ANU (for the 2nd time in a year) in 2019. And the ABC reported that the University of Notre Dame suffered severe disruption following a cyber attack. There are multiple weaknesses in a typical university structure, flaws in computer programs which are often cobbled together, weak controls on authorisations and poor depth in cyber security with a lack of detection tools to identify unusual activity if there has been a breach of defences.  There are programs that can detect unusual activity and certainly can alert IT if there is exfiltration of large amounts of data. 

The Australian article provides:

The data relates to demographic, enrolment and progression information, and was accessed through one of the University’s single sign-on (SSO) systems, Western Sydney University said in a statement.

It comes after the personal information of an unknown number of WSU members appears to have been posted to the dark web.

The NSW Police Force’s Cybercrime Squad is conducting an investigation under Strike Force Pardey.

“The University expects to notify approximately 10,000 current and former students next week whose information was subject to unauthorised access that occurred in January and February 2025. The data relates to demographic, enrolment and progression information,” the statement said.

“As soon as the unauthorised access was detected, the University’s internal and third-party cyber experts immediately began working to shut down the perpetrator’s access to the system in real time. Investigations into the incident are ongoing.”

The statement also referred to a post on the dark web which “referred to personal information belonging to the University community”.

The university says it became aware of the post on March 24, immediately alerting authorities, but that the post was likely made on November 1, 2024.

“The University continues to investigate the post in conjunction with the authorities. Early investigations indicate that the information contained in this post broadly reflects the same types of personal information outlined in previous cyber notifications.”

Following another cyber breach mid-last year, the University sought an interim order with the NSW Supreme Court “to prevent access, use, transmission and publication of any data associated with the post”.

Vice-Chancellor Professor George Williams said the university had been the “subject of persistent and targeted attacks on our network”.

“ The University is very aware of the personal impact these incidents are having on its students, staff and wider community,” he said.

“On behalf of the University, I apologise to our community. Our teams are working hard to respond and strengthen our digital environment.

“The higher education sector is increasingly the target of cyber attacks and Western Sydney University is not immune to this evolving threat landscape.”

The University said it continues to work with cyber security experts and relevant authorities including the National Office of Cyber Security, Australian Federal Police, the Australian Signals Directorate’s Australian Cyber Security Centre, and the NSW Information and Privacy Commission (IPC).

The statement from the Western University provides:

Western Sydney University has today updated its community on two cyber matters it is currently responding to.

• • The first is to advise our community of recent unauthorised access gained through one of the University’s single sign-on (SSO) systems.
  • The second relates to information that was posted by a perpetrator to a dark web forum.

“Western Sydney University has been the subject of persistent and targeted attacks on our network. The University is very aware of the personal impact these incidents are having on its students, staff and wider community,” Vice-Chancellor and President, Distinguished Professor George Williams AO said.

“On behalf of the University, I apologise to our community. Our teams are working hard to respond and strengthen our digital environment.

“The higher education sector is increasingly the target of cyber attacks and Western Sydney University is not immune to this evolving threat landscape.

“We ask our community to stay vigilant, remain alert and respond promptly when you are asked to take action.”

Single Sign-On Incident

The University expects to notify approximately 10,000 current and former students next week whose information was subject to unauthorised access that occurred in January and February 2025. The data relates to demographic, enrolment and progression information.

As soon as the unauthorised access was detected, the University’s internal and third-party cyber experts immediately began working to shut down the perpetrator’s access to the system in real time.

Investigations into the incident are ongoing.

Dark Web Post

On Monday 24 March 2025, the University became aware of a post on the dark web referring to personal information belonging to the University community. The University immediately activated its incident response plan and then alerted authorities.

Investigations indicate the post was made on 1 November 2024. The post was identified as a result of the University’s continued investment in our cyber capabilities.

The University continues to investigate the post in conjunction with the authorities. Early investigations indicate that the information contained in this post broadly reflects the same types of personal information outlined in previous cyber notifications.

We will keep the community informed as investigations progress. As impacted individuals are identified, we will notify them and explain the steps those individuals should take to protect themselves.

To protect its staff, students and community, the University has previously sought and was granted an interim injunction(opens in new window) in the NSW Supreme Court to prevent access, use, transmission and publication of any data associated with the post.

Ongoing Investigations

The University continues to work with cyber security experts and relevant authorities including the National Office of Cyber Security, Australian Federal Police, the Australian Signals Directorate’s Australian Cyber Security Centre, and the NSW Information and Privacy Commission (IPC).

The NSW Police Force’s Cybercrime Squad is also conducting an active investigation under Strike Force Pardey 2025 (E85649285).

As this incident is subject to ongoing investigations, including by NSW Police, the University is unable to provide further comment.