Public Notification –
Western Sydney University cyber incident

This public notification is to inform Western Sydney University’s community about personal information that may have been impacted in a cyber incident, and to outline the steps people can take to protect their information.

I want to again apologise for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community.

This starts with working closely with NSW Police Force Cybercrime Squad’s Strike Force Docker. On 25 June 2025, NSW Police arrested and charged a former student of the University.

Despite this, attempts to gain unauthorised access to our systems have continued, including via external parties that supply IT services to the University. In recent weeks, it has become clear that these incidents are intended to harm our community.

The University identified two instances of unusual activity on 6 August 2025 and 11 August 2025. This activity occurred on the University’s Student Management System, hosted by a third-party provider on a cloud-based platform.

An investigation commenced immediately, and the University directed the third-party provider to shut down access to its platform. The investigation confirmed that unauthorised access to this system was obtained through a further external system linked to that platform between 19 June 2025 and 3 September 2025.

Unauthorised entry through these third and fourth party systems enabled personal information to be accessed and exfiltrated from the University’s Student Management System.

The University’s investigations confirm that the fraudulent emails which were sent to some community members on 6 October 2025 used data stolen in this incident.

As soon as the University became aware, it reported the matter to NSW Police and the relevant regulatory authorities. NSW Police requested the University refrain from notifying its community at the time to avoid interfering with ongoing Police investigations.

NSW Police has now approved the release of today’s notification, which is for the attention of offer recipients, former and current students and staff of the University, The College, The International College, and staff of Early Learning Ltd. 

The types of personal information that may have been impacted include:

• Contact information (address, email address, phone number)
• Name, date of birth, student or staff ID
• Country of birth, nationality, citizenship and/or gender or identity information
• Ethnicity
• Employment and payroll details
• Bank account details
• Tax file number
• Driver licence details
• Passport details
• Visa information
• Complaint/case information
• Health and disability information
• Legal information.

The University will today issue individual notifications to those impacted by this incident. Some notifications will include personal information impacted through previous incidents, identified through ongoing investigations.

More information on previous incidents is available at: www.westernsydney.edu.au/cyberdetails.

You should consider changing your personal and University email account passwords and trying to make your password at least 15 characters, combining uppercase and lowercase letters, numbers, and symbols.

If you use the same password for your email account with your online banking, utilities and social media accounts, you should consider resetting your passwords for those accounts and setting up multi-factor authentication for each account. You may consider avoiding using the same password on multiple online accounts.

The University continues to engage IDCARE, Australia’s national identity and cyber support service. Contact IDCARE at www.idcare.org/contact/get-help or on 1800 595 160 for additional guidance on the steps you can take to protect yourself from the exploitation of your information and accounts.

Use the Referral Code WSUDB25 when lodging your request.

• Cyber incident website: A dedicated website has been published with information about cyber incidents impacting the University community, including answers to questions you might have and general information about cyber security and incident management. This is available at: westernsydney.edu.au/cyberdetails

• University phone line: The University has a phone line to support enquiries about this notice. Our team will be able to direct you to the appropriate support available, which may include counselling sessions and other tailored services. Phone: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT). Please remember to treat our team with respect.

• Information and Privacy Commission NSW (IPC): The IPC also has a range of useful resources and support available on their website at www.ipc.nsw.gov.au/privacy/resources-citizens/data-breach-support. Additionally, the IPC has prepared a fact sheet which provides specific guidance and information on how to protect your personal information involved in a data breach. View that here: https://www.ipc.nsw.gov.au/sites/default/files/2025-06/Guidance_You_have_been_told_your_information_has_been_breached_June_2025.pdf

• Australian Cyber Security Centre: If you believe your information has been misused as a result of this incident, report this at www.cyber.gov.au/report-and-recover/report.

If you are not satisfied with the University’s response to the incident, you can request an internal review by providing the details of your matter via email to internalreview@westernsydney.edu.au. An internal review is a fact finding investigation into your privacy concern and how an incident has affected you. You should lodge the privacy internal review within six months after you first became aware of this incident.

If you are not satisfied with the actions taken by the University, you can lodge a complaint with the IPC within six months of when you first became aware of this incident. The IPC has more information about making a complaint, as well as your review rights, and can be contacted at:

• Phone: 1800 472 679
• Email: ipcinfo@ipc.nsw.gov.au
• Post: GPO Box 7011, Sydney NSW 2001
• Website: www.ipc.nsw.gov.au

Please note, this public notification will be published on the University’s public notification register from today's date (23 October 2025) for 12 months. This public notification will also be available on the Office of General Counsel’s website and the IPC’s website.

If you are an offer recipient, a staff member or student from The College or International College or a staff member from Early Learning Ltd and you are not satisfied:

• With the University’s response to this incident, you can lodge a complaint to the University’s Privacy Officer privacy@westernsydney.edu.au within 12 months of when you first became aware of this incident.
• With the actions taken by The College, International College or Early Learning Ltd, you can lodge a complaint with the Office of the Australian Information Commissioner within 12 months of when you first became aware of the impact on you and seek further guidance via oaic.gov.au 

We will continue to strengthen our cyber security capabilities to protect our students, staff and community and have engaged expert services at considerable cost to ensure that strong cyber protections are put in place. Some of the steps we’ve taken include but are not limited to:

• Resetting and reissuing system credentials, keys and access tokens, and strengthening oversight of external technology providers.
• Enhancing identity and access safeguards, including stronger authentication requirements and stricter controls over privileged accounts.
• Uplifting governance and assurance, including supply chain cyber reviews and simulations to improve response readiness.
• Ongoing password hygiene.
• Expanded protections for web applications.
• Enhancing detection and implementing 24/7 monitoring and cyber response capabilities.
• Other enhancements including a new cyber threat intelligence capability.

The interim injunction previously granted to the University by the NSW Supreme Court continues to prohibit transmission, publication and use of any information or material obtained by the former student in an unauthorised manner from the University’s IT systems and network.

The University continues to work with cyber security experts and relevant authorities across Government, including the National Office of Cyber Security, Australian Federal Police and the Australian Signals Directorate’s Australian Cyber Security Centre.

Thank you for your continued attention to these notifications. It is important that you read them carefully and take the steps outlined.