Western Sydney University (WSU) has disclosed two recent security breaches that compromised personal information of thousands of community members.
The university, which serves approximately 47,000 students and employs over 4,500 staff with an annual budget of around $600 million, reported that one of its single sign-on (SSO) systems was compromised between January and February 2025.
This breach resulted in unauthorized access to demographic, enrollment, and progression information for an estimated 10,000 current and former students.
University officials stated they took immediate action to block the attacker upon discovering the breach, and investigations remain ongoing.
In a separate incident, WSU revealed that personal information belonging to university community members was leaked on the dark web. Although the data was published by hackers on November 1, 2024, the university only became aware of the leak on March 24, 2025—nearly five months later.
The university described the leaked information as “broadly reflecting the same types of personal information outlined in previous cyber notifications,” though the exact details remain unclear.
These incidents follow a previous significant breach in May 2023, which the university only discovered and disclosed a year later. In that case, hackers gained access to WSU’s Microsoft Office 365 environment, including email accounts and SharePoint files, impacting approximately 7,500 individuals.
The exposed data included names, contact details, dates of birth, health information, government ID numbers, and bank account information.
More troubling still, investigators determined that the hackers maintained access to WSU’s networks for an extended period—from July 9, 2023, to March 16, 2024—during which they obtained access to 580 terabytes of data.
It remains unclear whether the November 2024 dark web leak contains information stolen during the earlier breach or represents an entirely separate incident.
In response to the mounting cybersecurity crisis, Vice-Chancellor and President George Williams issued an apology.
“Western Sydney University has been the subject of persistent and targeted attacks on our network. The University is very aware of the personal impact these incidents are having on its students, staff and wider community,” George Williams AO said.
“On behalf of the University, I apologise to our community. Our teams are working hard to respond and strengthen our digital environment.
“The higher education sector is increasingly the target of cyber attacks and Western Sydney University is not immune to this evolving threat landscape.
“We ask our community to stay vigilant, remain alert and respond promptly when you are asked to take action.”
The institution said it is working with cyber security experts on this matter.
“The University continues to work with cyber security experts and relevant authorities including the National Office of Cyber Security, Australian Federal Police, the Australian Signals Directorate’s Australian Cyber Security Centre, and the NSW Information and Privacy Commission (IPC),” it said.
“The NSW Police Force’s Cybercrime Squad is also conducting an active investigation under Strike Force Pardey 2025 (E85649285).”
You must be logged in to post a comment.