Western Sydney University reports data breach impacting students and staff
Learn More
Western Sydney University (WSU) has notified students and academic staff of a data breach affecting its Microsoft Office 365 and SharePoint environments.
The breach was identified in January 2024 when the university's IT team shut down unauthorized access and launched an internal investigation. The investigation revealed that the university’s Solar Car Laboratory infrastructure might have been used in the incident, and the unauthorized access that began on May 17, 2023.
WSU's IT team, alongside specialists from NSW Police, CrowdStrike, and CyberCX, is conducting an investigation. WSU’s claims that its core operations remain unaffected, with no disruption to classes, exams, registrations, or research programs.
This incident has impacted approximately 7,500 individuals, although the final number may change as investigations continue.
Exposed data includes:
- Email communications
- Documents stored in SharePoint
No details are disclosed about the nature of the attack.
There have been no reported threats to disclose the accessed data, and no demands for ransom have been made. Affected individuals are being notified via email and phone.
Interim Vice-Chancellor Professor Clare Pollock has issued an apology to those affected and reassured the community of WSU's commitment to resolving the issue transparently and supporting impacted individuals.
Update - as of 30th of July 2024, Western Sydney University reports that approximately 580 terabytes of data were accessed from its IT network during the breach. It has now been confirmed that the breach exposed personally identifiable information (PII) and other sensitive data:
- Names
- Contact details
- Dates of birth
- Health information
- Sensitive workplace conduct and health and safety information
- Government identification documents
- Tax file numbers
- Superannuation details
- Bank account information
The breach impacted both the University's Microsoft Office 365 environment and Isilon storage system. Isilon, which holds My Documents information, departmental shared folders, and some backup and archived data, saw 580 terabytes of data accessed across 83 of its 300 directories.
Approximately 7,500 individuals were notified of the breach.
As of 1st of September 2025, Western Sydney University (WSU) confirmed that passport and tax file numbers were exposed online. Its possible but not currently confirmed that 27-year-old Birdie Kingston who hacked the university systems on multiple occasions is connected to this incident.
