Image: 27-year-old former WSU student arrested (photo: NSW Police)
A former Western Sydney Uni student has been charged after allegedly hacking the university’s databases for free parking, changing her own grades and threatening to sell other students’ personal data on the dark web.
The 27-year-old allegedly pursued a four-year cyber hacking operation against WSU which involved a range of breaches including unauthorised access, data exfiltration, system compromise and misuse of university infrastructure.
The former student was arrested on Wednesday and charged with 20 offences including accessing or modifying restricted data on a computer, possessing data with the intent to commit computer offences, dishonestly obtaining financial advantage by deception, and unauthorised function with intent serious offence.
Police allege the woman initially exploited the Western Sydney University systems to secure unauthorised discounted parking on campus.
Student threatened to sell other students’ data on dark web
However, as the offending escalated, the woman is alleged to have altered her academic results and eventually threatened to sell confidential student data on the dark web.
It is estimated that hundreds of university staff and students were affected by these incidents.
“The arrest was a culmination of a very technical and complex investigation spanning a number of years,” Detective Acting Superintendent Jason Smith said at a press conference.
The police have seized more than 100 gigabytes of data from a cloud server but have yet to “go through” the data.
Acting Supt Jason Smith stated that there had been a demand posted on a “fairly popular darknet forum” in relation to the data, but there was “no evidence” that any personal data had been sold or published by the former Western Sydney University engineering student.
7500 affected by Western Sydney Uni data breach
Last July, WSU issued a public statement, notifying students that unauthorised access to the IT network had been discovered in January and the university was undertaking “forensic investigations” to determine the full nature, scope and scale of the incident.
The university notified approximately 7,500 individuals whose personal information was affected in the incident. The data was stored on the Isilon system, which contains “My Documents” files, departmental shared folders, and archived backup data. The compromised information includes bank details, tax file numbers, and other sensitive personal data.
The woman was refused bail to appear in Parramatta Local Court on Thursday.
Investigations are ongoing.
