Public Notification –
Western Sydney University cyber incident

This public notification is to inform Western Sydney University’s community that previously stolen personal information was unlawfully published on the open web and dark web, and to outline the steps people can take to protect themselves.

The University’s enhanced cyber capabilities have detected the unlawful publication of personal information that was stolen through two previous cyber incidents:

• the Student Management System and other storage systems incident, notified on 31 October 2024, corrected on 11 February 2025; and
• the single sign-on (SSO) systems incident, announced on 10 and 15 April 2025.

This public notification is for the attention of former and current students and staff of the University, The College, The International College, and staff of Early Learning Ltd., including those who were impacted by the cyber incidents mentioned above.

The University sincerely apologises for the impact of these incidents on its community and remains committed to transparent communication and rectifying this matter as quickly as possible.

Dark web post – November 2024 (Student Management System and other storage systems incident)

On 10 and 15 April 2025, Western Sydney University informed its community of a dark web post purporting to contain personal information belonging to people in the University community. 

The University has undertaken an extensive investigation in conjunction with the digital forensic experts and can confirm the following:

• On 24 March 2025, as a result of its continued investment in cyber capabilities, the University identified a dark web post dated 1 November 2024.
• The dark web post contains a set of sample data available to download, and mentions a larger dataset available for purchase. The University securely downloaded the sample data and undertook forensic analysis which confirmed it contained legitimate University data. The University did not purchase the larger dataset as it does not participate in the proceeds of crime and will not pay for information that has been unlawfully obtained.
• Forensic analysis indicates the source of the sample dataset and the larger dataset offered for sale on the dark web post is likely the cyber incident the University notified its community of on 31 October 2024.
• The sample dataset has been accessible from 1 November 2024 and remains live. The nature of the dark web means it is not possible to issue takedown notices to dark web forums.

Open and dark web posts – June 2025 (SSO incident)

Between 4-8 June 2025, two open web posts and one dark web post went live, linking to three fileshare sites hosting a dataset available for download. By 20 June 2025, all datasets had been taken down.

The University’s extended cyber monitoring detected these open web and dark web posts within eight hours of going live. Investigations have confirmed the following:

• The source of the datasets has been confirmed as the single sign-on (SSO) incident which the University announced on 10 April 2025, and individual notifications were sent on 15 April 2025.
• All posts were in breach of the NSW Supreme Court interim injunction the University was granted last year.
• The University issued takedown notices to the two open web fileshare sites within hours of detection and by 8 June 2025, those datasets had been removed.
• By 20 June 2025, the third dataset was no longer accessible.

The types of personal information which have been unlawfully published includes: 

• Name / Former name
• Address
• Date of birth
• Sex
• Gender
• Landline and mobile phone numbers
• University-issued email addresses
• Non-University issued email addresses
• WSU student identification numbers
• Tax File Numbers (TFN)
• Australian passport numbers
• International passport numbers
• Australian visa numbers
• Drivers licence numbers
• Bank account information
• Sensitive information relating to health and wellbeing
• University Admissions Centre (UAC) identification and reference numbers
• Unique Student Identifiers (USI)
• Commonwealth Higher Education Student Support Numbers (CHESSN)
• Tuition fee information, including fees deferred to HELP/HECS
• Student admission and enrolment data including:
  • Subject
  • Results and progression information
  • Parent education level
• Student demographic data including:
  • Nationality
  • Indigenous status
  • Country of birth
  • Citizenship status
  • Visa type
  • First in family information
• Culturally and Linguistically Diverse (CALD) / Aboriginal and Torres Strait Islander (ATSI) / Socio-Economic Status (SES) background indicators
• WSU employee data including employment basis and award salary level
• WSU employee identification numbers

The University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to those who may have questions about how to protect themselves when their identity information has been compromised.

If you have taken steps to protect your personal information following the previous cyber incidents, there may be additional steps you should take. Please let IDCARE know if this is the case so they can provide you with the most appropriate advice.

You can contact IDCARE on 1800 595 160 and quote the reference number WESSYDWP25 or complete an online Get Help form via www.idcare.org/wsu-incident-response.

• Cyber incident website: A dedicated website has been published with information about cyber incidents impacting the University community, including answers to questions you might have and general information about cyber security and incident management. This is available at: westernsydney.edu.au/cyberdetails
• University phone line: The University has a phone line to support enquiries about this notice. They will be able to direct you to the appropriate supports available.
  
  Phone: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEST)

• Information and Privacy Commission NSW (IPC): The IPC also has a range of useful resources and support available on their website at ipc.nsw.gov.au/privacy/resources-citizens/data-breach-support
• ReportCyber: If you believe your information has been misused as a result of this incident, report this at cyber.gov.au

If you are not satisfied with the University’s response to the incident, you can lodge a complaint or request an internal review by providing the details of your matter via email to internalreview@westernsydney.edu.au. An internal review is a fact finding investigation into your privacy complaint and how an incident has affected you. Your email must be received within six months of when you first became aware of the impact on you.

If you are not satisfied with the actions taken by the University, you can lodge a complaint with the IPC within six months of when you first became aware of the impact on you. The IPC has more information about making a complaint, as well as your review rights, and can be contacted at:

• Phone:1800 472 679
• Email: ipcinfo@ipc.nsw.gov.au
• Post:GPO Box 7011, Sydney NSW 2001
• Website: ipc.nsw.gov.au

Please note, this public notification will be published on the University’s public notification register from today's date (28 August 2025) for 12 months. This public notification will also be available on the Office of General Counsel’s website and the IPC’s website.

If you are a staff member or student from The College or International College or a staff member from Early Learning Ltd and you are not satisfied:

• With the University’s response to this incident, you can lodge a complaint to the University’s Privacy Officer privacy@westernsydney.edu.au within 12 months of when you first became aware of the impact on you.
• With the actions taken by The College, International College or Early Learning Ltd, you can lodge a complaint with the Office of the Australian Information Commissioner within 12 months of when you first became aware of the impact on you and seek further guidance via oaic.gov.au.

The University continues to uplift its cyber security protections and implement a comprehensive remediation program with the highest priority. This includes, but is not limited to:

• Ongoing password hygiene.
• Enhancing detection and implementing 24/7 monitoring capabilities.
• Implementing additional firewall protection.
• Increasing the cyber security team capacity.
• Rollout of a new Multi-Factor Authentication (MFA) platform for staff ensuring more secure access across our systems, with student implementation underway.
• Appointing a senior risk advisor to strengthen cyber governance and oversight.
• Other enhancements including a new cyber threat intelligence capability.

The University has been working closely with NSW Police Force Cybercrime Squad’s Strike Force Docker. On 25 June 2025, NSW Police arrested and charged a former student of the University. NSW Police allege this former student was involved in the unauthorised access to our systems and threatened to sell confidential information on the dark web.

The interim injunction previously granted to the University by the NSW Supreme Court continues to prohibit transmission, publication and use of any information or material obtained by the former student in an unauthorised manner from the University’s IT systems and network between March 2021 and June 2025.

The University continues to work with cyber security experts and relevant authorities across Government, including the National Office of Cyber Security, Australian Federal Police and the Australian Signals Directorate’s Australian Cyber Security Centre.

The University will endeavour to notify individuals about specific impacts on their personal information where possible. This public notification will help ensure the University community stays vigilant to any signs their data may have been accessed.

The University advises its community to review this public notification against other notifications, and to take the recommended actions to protect your personal information.