10,000 Students Have Had Their Data Stolen in University Cyber Breach

More than 10,000 students at one of Australia’s largest universities have had their details stolen, with Western Sydney University becoming the target of another cyber breach. In a statement released on Thursday, the university said information relating to demographics, enrollment, and course progress has been stolen.

In late March, in a separate incident, “personal information belonging to the university community” was discovered on the dark web; the information had been online for almost five months.

It remains unclear if the information was for sale or posted as a whole.

A university spokesperson said the matter was under police investigation and could not be elaborated on. A court injunction granted by the courts last year prevents any stolen university data from being accessed, used, transmitted or published.

“As impacted individuals are identified, we will notify them and explain the steps those individuals should take to protect themselves,” a university spokesperson said in a statement.

“To protect its staff, students and community, the university has previously sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data associated with (a prior stolen data, dark web) post.”

Not the first cyber breach

The incidents are being investigated by the NSW cybercrime police squad.

The latest theft was done through one of the university’s single sign-on (SSO) systems earlier this year.

“As soon as the unauthorised access was detected, our internal and third-party cyber experts immediately began working to shut down the perpetrator’s access to our system in real time. I’d like to thank our expert teams for their rapid and professional response,” the university spokesperson said.

“The university expects to notify approximately 10,000 current and former students next week whose information was subject to unauthorised access that occurred in January and February 2025.”

This is far from the first data theft from Western Sydney University. From mid-2023 to March 2024, 580 terabytes of names, contact information, dates of birth, health information, government identification, tax file numbers, and bank account details were stolen. This attack was conducted through Microsoft Office 365 and Dell’s storage platform, Isilon.

“Western Sydney University has been the subject of persistent and targeted attacks on our network,” the spokesperson said on Thursday.

“We are very aware of the personal impact these incidents are having on our students, staff and wider community, and on behalf of the university, I sincerely apologise.”