Western Sydney University Comments After Multiple Cyber Attacks

Western Sydney University has contacted thousands of former and current students to take action after numerous cyber attacks leaked personal information onto the dark web.

The incidents occurred in August 2024, where the hacker gained access to the student management and back end data systems and the single sign on system in late January 2025.

The investigation took several months, but in a recent statement university said that the investigation revealed that a post to the dark web was shared in November 2024 that contained a “sample set of data” that was available to download. 

The investigation team confirmed that the post contained university data and information for sale, stating that the sample dataset has been accessible since the November 1, 2024. 

The dark web and two open posts were shared between June 4 and 8 2025, linking to three fileshare sites hosting a dataset available for download.

Within eight hours of the posts being published the university’s cyber monitoring team detected the data and discovered that it was from the January/February hack on the single sign on system.

“All posts were in breach of the NSW Supreme Court interim injunction and the university issued removal notices to the two open web fileshare sites. By June 8th 2025 the data sets had been removed and by June 20th the third dataset was no longer accessible on the web”, the university said in an email to students seen by CityHub.

Passport numbers, Visa details, and health information leaked

In a recent update, the university revealed that a large amount of personal and private information was shared upon the dark web. Including the names of individuals, date of births, emails, phone numbers, student identification numbers, and tax file numbers.

Additional sensitive data including drivers license details, bank account information, Visa details, Australian and International passport numbers, health and wellbeing details, and university employee details.

As previously stated by the university, mandatory communication to 10,000 current and former students regarding the situation and its impacts.

Western Sydney University worked alongside the NSW Police Cybercrime Squad Strike Force Docker and prosecuted the arrest of a former student in June 2025.

Birdie Kingston, a 27 year old student was accused of accessing the cyber systems and threatening to sell confidential information to the dark web.

Found committing several other offences, Kingston first hacked the database in 2021 to get cheaper campus parking, and was later found guilty of tampering her grades.

By the end of 2023, she had gained access to the online systems and threatened to leak sensitive information.

In a trade off, Kingston allegedly compromised for cryptocurrency at the value of $40,000 in return for the data, police stated, but the university refused.

Following the arrest, Cybercrime Squad Commander Detective Acting Superintendent Jason Smith, said, “There were a number of grievances which were not resolved to their liking and we believe that is the driving factor behind the offending.”

Charged with 21 offences and 10 counts of accessing or modifying data held within a computer, Kingston was found guilty in early June 2025. Shortly after her arrest she was granted bail, although was refused access to the internet or smart devices.