This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Western Sydney University

Summary

Western Sydney University suffered a significant data breach affecting approximately 10,000 current and former students after an attacker gained unauthorised access through one of the university's single sign-on systems. The breach, which occurred between 28 January and 25 February 2025, exposed personal demographic information, enrolment and progression data, tax file numbers, and identity documents.

What Happened

On 28 January 2025, an unauthorised party gained access to Western Sydney University's systems through a single sign-on service. The university became aware of potential unauthorised access on 8 February 2025 and immediately mobilised internal and third-party cyber experts to investigate and remediate the network. The unauthorised access continued until 25 February 2025, during which time the attacker accessed student records. The university publicly disclosed the breach on 15 April 2025 after completing its investigation into the scope and impact.

Impact on Individuals

Approximately 10,000 individuals, primarily current and former students, were affected by the breach. Compromised data included personal demographic information, enrolment and progression records, tax file numbers, and identity documents. The exposure of tax file numbers and identity documents created significant risks for identity theft and fraud.

Organisational Response

Upon discovering the breach on 8 February 2025, the university's cyber teams worked to shut down access pathways, enhance account security, implement password resets, and deploy additional monitoring, detection, and forensic tools. The university provided individual notifications to all affected individuals outlining the impact and available support. NSW Police Force's Cybercrime Squad conducted an investigation under Strike Force Pardey 2025, resulting in the arrest of the alleged hacker in June 2025.

The NSW Police Force Cybercrime Squad investigated the incident under Strike Force Pardey 2025, culminating in the arrest of the alleged hacker in June 2025.

Verification Source: View original statement