This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Western Sydney University (Student Management System)

Summary

Western Sydney University suffered a major data breach between 19 June and 3 September 2025 when unauthorised parties exploited a daisy-chain of third-party suppliers to access the university's Student Management System. The breach, disclosed in October 2025, exposed highly sensitive personal information including tax file numbers, bank account details, passport and driver licence details, visa information, health and disability data, and legal records. NSW Police arrested and charged a former student on 25 June 2025.

What Happened

Between 19 June and 3 September 2025, unauthorised parties gained access to Western Sydney University's Student Management System through a complex chain of third- and fourth-party systems. The university detected unusual activity on the student management system on 6 August and 11 August 2025. Investigation revealed that attackers exploited an external system linked to a third-party cloud platform, with this daisy-chain of suppliers enabling unauthorised entry and data exfiltration from the Student Management System hosted by a third-party provider.

Impact on Individuals

The breach exposed extensive highly sensitive personal information of students and staff, including names, email addresses, phone numbers, bank account details, passport details, tax file numbers, payroll records, visa details, complaint information, health and disability data, and legal records. The comprehensive nature of the compromised data created significant risks for identity theft, fraud, and privacy violations.

Organisational Response

Western Sydney University disclosed the breach in October 2025 after completing its investigation. NSW Police arrested and charged a former student of the university on 25 June 2025 in connection with the incident. The university fulfilled its notification obligations and offered affected individuals access to IDCARE services free of charge. This incident represented at least the fifth significant cybersecurity incident WSU had suffered since 2023.

NSW Police arrested and charged a former Western Sydney University student on 25 June 2025 in connection with the data breach.

Verification Source: View original statement