Public Notification –
Western Sydney University cyber incident

After the University notified approximately 7,500 impacted individuals and our community about a breach to our Microsoft Office 365 environment in May 2024, the University confirmed personal information in Isilon was also subject to unauthorised access.

The public notification will help ensure our community stay vigilant to any signs their data may have been accessed.

On 21 May 2024, Western Sydney University notified individuals impacted by unauthorised access to its Microsoft Office 365 environment.

The intrusion was identified by the University in January 2024 and quickly shut down.

The University has been investigating the impact of the unauthorised access and investing in additional remediation measures.

Since January 2024, the University undertook its due diligence to understand the nature, scope and scale of the incident, the number of individuals impacted, and to protect against further harm. This was also done in accordance with the University’s legal obligations.

The investigation has indicated that the earliest known unauthorised access to the University’s Microsoft Office 365 environment was on 17 May 2023 and included access to some email accounts and SharePoint files.

The University is working with a range of authorities, including NSW Police whose investigation is ongoing. The University has also been in ongoing contact with the Office of the Australian Information Commissioner and the NSW Information and Privacy Commission.  

The College and Early Learning are also working with the Office of the Australian Information Commissioner.

Overall, approximately 7,500 individuals received notifications on 21 May 2024.

Isilon is the University’s storage platform. It hosts the University’s Desktop My Documents information, departmental shared folders, and some backup and archived data.

The College and Early Learning utilise Isilon as part of their usual operations.

Students and staff have access to their own My Documents, which includes My Documents, Desktop data, downloads, favourites and web history etc.

The My Documents folders are located on our centralised network storage, which means an individual can access their My Documents on any computer within the Western network. The desktop/laptop needs to be connected to the University’s network via a physical network cable to enable this.

The University is working with Australia’s leading digital forensics and incident response team at CyberCX and relevant authorities, including the National Office of Cyber Security, Office of the Australian Information Commissioner, NSW Information and Privacy Commission, Australian Federal Police, Australian Cyber Security Centre, Australian Signals Directorate and Home Affairs.

The NSW Police Force’s Cybercrime Squad is conducting an investigation under Strike Force GIRRAKOOL.

To protect staff, students and stakeholders, the University sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data that is the subject of the incident. This includes the data in Isilon that was accessed without authorisation.

The University’s leadership and Board have taken a number of steps to remediate the issue and further protect staff and students, including completing a password reset, enhancing detection monitoring, implementing additional firewall protection, increasing its cyber security team capacity, and reviewing data storage and retention practices.

The University is continuing to work with Australia’s leading digital forensics and incident response team at CyberCX to analyse the data that has been accessed, and our investigations are ongoing.

The University continues to engage with the authorities in relation to the perpetrator of the Isilon incident.

The University has not received any threats to disclose private information or demands in exchange for maintaining privacy.

The University has dark web monitoring in place and there is no evidence to date that the data has been uploaded.

The University’s, The College and Early Learning’s day-to-day operations have not been impacted by the incident.

This incident may impact certain staff members or students of The College. The College utilises the University’s systems as part of its usual course of operations. For this reason, the personal information of former and current staff members and students of The College may have been accessed. Impacted individuals have been, and will continued to be, notified by The College.

This incident may impact certain staff members of Early Learning. Early Learning utilises the University’s information technology systems as part of its usual course of operations. For this reason, the personal information of former and current staff members of Early Learning may have been accessed. Impacted individuals have been, and will continued to be, notified by Early Learning.

Early Learning utilises the University’s information technology systems as part of its usual course of operations.

Investigations conducted to date indicate that My Document accounts of Early Learning staff may have been subject to unauthorised access, and so families of Early Learning children who might have been impacted have received a notification.

The University will endeavour to notify individuals about the impact on their personal information in the coming weeks. However, due to the volume and complexity of the data, the University will not be able to issue individual notifications to all those who may be impacted.

If you have any other questions about this incident, please call our dedicated phone line: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).

 The University, The College and Early Learning unreservedly apologise and are here to support you. We have arranged the following services for you to access:

• The University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to members of our community who may have questions about how to protect themselves when identity information may have been compromised.

You can find out about ways to protect your personal information by visiting www.idcare.org/wsu-incident-response. You can also contact IDCARE on 1800 595 160 and quote the reference number WESSYDPB24 or complete an online Get Help form.

• We have established a dedicated phone line and this website to answer any questions you might have. The phone line details are as follows: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).
  
  
• The Information and Privacy Commission NSW has listed a range of resources and support available on their website.
  
  
• If you believe your information has been misused as a result of this incident, report this to ReportCyber at cyber.gov.au

We understand this incident is concerning and we apologise for the impact it is having on our community.

Please call 02 9174 6942 to speak with our dedicated team who can direct you to the most appropriate support.

If you have any other questions about this incident, please call our dedicated phone line: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).

If you are not satisfied with the University’s response to the incident, you can lodge a complaint or request an internal review by providing the details of your matter via email to internalreview@westernsydney.edu.au. Your email must be received within six months of the date of this public notification (31 July 2024).

If you are not satisfied with the actions taken by the University, you can lodge a complaint with the NSW Information and Privacy Commission (IPC). The IPC has more information about making a complaint as well as your review rights and can be contacted at:

• Phone: 1800 472 679
• Email: ipcinfo@ipc.nsw.gov.au
• Post: GPO Box 7011, Sydney NSW 2001
• Website: www.ipc.nsw.gov.au

If you are not satisfied with The College or Early Learning’s response to the incident, you can lodge a complaint to the University’s Privacy Officer privacy@westernsydney.edu.au. Your email must be received within 12 months of the date of the correspondence. 

If you are not satisfied with the actions taken by The College or Early Learning, you can lodge a complaint with the Office of the Australian Information Commissioner and seek further guidance via www.oaic.gov.au. 

On 31 July 2024, the University issued a public notification about unauthorised access to the University’s Isilon storage platform (Isilon), which holds the University’s My Documents information, departmental shared folders, and some backup and archived data. The College and Early Learning utilise the University’s systems as part of their usual operations, including Isilon.

At the time, we said we would be continuing to analyse the large and complex dataset to determine what impact the unauthorised access to Isilon had on individuals, and we would be issuing individual notifications shortly.

The University can confirm we started issuing individual notifications on 23 August 2024 and more will be issued in due course. The College also commenced issuing individual notifications on 25 September 2024. Early Learning commenced issuing individual notifications on 15 October.

More information about the actions the University, The College and Early Learning recommend individuals take and the support services available to them, are contained in the notification email. If you have any questions about the notification, please ring the dedicated phone line: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).

We have reported the incident to the Australian Taxation Office (ATO), so it can apply protective measures to your Tax File Number. These measures aim to detect fraudulent activity. There is nothing further you need to do, however, if you have any concerns, you may wish to contact the ATO’s specialist Client Identity Support Centre or website.

• Phone: 1800 467 033 (Monday to Friday 8.00am–6.00pm AEDT)
• ATO Website

If you have any other questions about this incident, please call our dedicated phone line: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).

To help reduce the risk of identity theft or financial loss, you are strongly encouraged to apply for a replacement Driver Licence through Service NSW online or in person at a Service NSW centre.

NSW uses the national Document Verification Service (DVS) which means both your driver licence number and your driver licence card number are required to verify your identity. Thanks to an update to the Document Verification Service (DVS) on 1 September 2022, your NSW Driver Licence number will not verify through the DVS without the card number. This means you do not need to replace your licence. You should remain vigilant and for any suspicious or unexpected activities.

Your passport number cannot be used by someone else to obtain a new passport. Robust controls are in place to protect passports from identity takeover, including sophisticated facial recognition technology.

Information contained in your passport may be used for identity purposes with other government agencies and private entities. The more information exposed in an incident the greater the risk someone could use it to act on your behalf.

The following options are available to you: 

1. You can choose to do nothing, as the passport is valid for travel.  
2. You can choose to replace your passport.
   1. If it has more than 2 years validity, replacements are issued for the remaining validity of your current passport for a reduced fee. 
   2. If you have less than 2 years validity, and you wish to replace your passport, you will be required to apply for a passport renewal and pay the full fee. 
   3. If you request to replace your passport it will no longer be valid for travel or for identity purposes from the time your application is received.   
3. You can cancel your passport immediately by calling the Australian Passport Office contact centre on 131 232. If you cancel your passport the cancellation will be permanent, and the passport will no longer be valid for travel or for identity purposes. When you are ready to apply for a new passport, you will need to complete a full application form, including paying the appropriate fees.  

If you choose to replace your passport, you should allow at least six weeks. If you’re planning to travel in the next six weeks, the Passport Office recommend travelling on your current passport and replacing it on your return.  More information about applying for or replacing your passport and data breaches is available on the Australian Passport Office website (search for “replacement,” “apply” or “data breach”) or you can contact them on 131 232 Monday to Friday: 8.00 am to 5.00 pm.

For impacted individuals based overseas, please contact your nearest Australian Embassy or Consulate. 

We recommend you contact the issuing authority in the relevant country for advice.

If your Citizenship certificate has been compromised, information on how to apply for a new certificate is available on the Department of Home Affairs’ website at: https://immi.homeaffairs.gov.au/citizenship/certificate.

Place a ‘block and alert’ on your NSW Birth Certificate. This will prevent criminals from using the compromised birth certificate as proof of identity through the Document Verification Service. Contact ID Support NSW to start the block and alert application by:

• Calling 1800 001 040, Monday to Friday between 9am and 5pm (Sydney time), or;
• Completing the ID Support NSW online form so an Advisor can call you back. 

The University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to members of our community who may have questions about how to protect themselves when identity information may have been compromised. 

IDCARE has information on actions you can take regarding the different types of PII. 

Visit www.idcare.org/wsu-incident-response. You can also contact IDCARE on 1800 595 160 and quote the reference number WESSYDPB24 or complete an online Get Help form.

If you believe your information has been misused as a result of this incident, report this to ReportCyber at cyber.gov.au

If you have any other questions about this incident, please call our dedicated phone line: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT). 

Yes. The 31 October 2024 public notification is for a separate incident to the incidents that the University notified our community of on 21 May 2024 and 31 July 2024. More information is available at https://www.westernsydney.edu.au/publicnotification.