This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Western Sydney University

Summary

Western Sydney University experienced its third major data breach in 2024, with attackers gaining access to the Student Management System and data warehouse on 14 August 2024. The breach was detected on 27 August 2024 and exposed student names, addresses, email addresses, student ID numbers, tuition fees, enrollment data, and demographic information.

What Happened

On 14 August 2024, perpetrators gained unauthorized access to Western Sydney University's Student Management System and associated data warehouse. The breach went undetected for nearly two weeks until 27 August 2024.

This was the university's third data breach in 2024:

  1. May 2024: Threat actors accessed the university's Microsoft Office 365 environment between May 2023 and January 2024, affecting approximately 7,500 people.

  2. July 2024: Attackers infiltrated the Isilon storage platform, accessing 580 terabytes of data from 83 of 400 directories. The unauthorized access lasted from July 2023 until 16 March 2024 before being detected.

  3. August 2024: This current incident involving the Student Management System.

The repeated breaches suggest systemic security vulnerabilities at the institution.

Impact on Individuals

The August 2024 breach exposed:

  • Student names and student identification numbers
  • Postal addresses and email addresses
  • Tuition fee information
  • Student admission and enrollment data
  • Demographic information including nationality and Indigenous status
  • Dates of birth

While this data does not include government identity documents or financial information, it creates risks for:

  • Targeted phishing campaigns against students
  • Identity correlation and profiling
  • Potential discrimination based on demographic data
  • Academic fraud using student credentials

The exposure of Indigenous status and nationality information is particularly sensitive and could be used for discriminatory purposes.

Organisational Response

Western Sydney University notified affected individuals and reported the breach to the Office of the Australian Information Commissioner. The university engaged external cybersecurity experts to investigate the incidents and improve security measures.

The pattern of three major breaches within one year raised serious questions about the university's cybersecurity posture and whether adequate resources were being allocated to protect student data. The Australian education sector experienced 44 notifiable data breaches in the first half of 2024 alone, highlighting systemic vulnerabilities across the sector.

[extra.impact] affected_individuals = 0 individuals_note = "" data_volume_gb = 580000 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "July 2024 breach: 580TB accessed from Isilon storage platform" +++

Verification Source: View original statement