Since unauthorised access to Western Sydney University’s IT network was discovered in January 2024, the University has been undertaking forensic investigations in line with our due diligence and legal obligations to determine the full nature, scope and scale of the incident.
As a result of the ongoing investigations, the University issued this public notification on 31 July 2024 about unauthorised access to the University’s storage platform, known as the Isilon storage platform (Isilon). In particular, the University is drawing this public notification to the attention of our University community, which includes but is not limited to, our former and current students and staff.
The University unreservedly apologises for this incident and the impact it is having on our community. The University is committed to transparently rectifying this matter and will keep our community updated as our investigation progresses.
Update on the ongoing investigation
After the University notified approximately 7,500 impacted individuals and our community about a breach to our Microsoft Office 365 environment in May 2024, the University confirmed personal information in Isilon was also subject to unauthorised access. Isilon holds My Documents information, departmental shared folders, and some backup and archived data.
We have been and will continue to analyse the very large and complex dataset to properly understand the impact the unauthorised access to Isilon has had on individuals’ personal information. The University is now in a position to confirm:
Based on its forensic investigation to date, the University has no evidence that this incident extends beyond the University’s Microsoft Office 365 and Isilon environments.
The University has not received any threats to disclose private information or demands in exchange for maintaining privacy. The University has dark web monitoring in place and there is no evidence to date that the data has been uploaded.
The University has not detected any further unauthorised access to Isilon since remediation work took place. The University continues to engage with the authorities in relation to the perpetrator of the Isilon incident.
What steps the University has taken
The University is working with Australia’s leading digital forensics and incident response team at CyberCX and relevant authorities, including the National Office of Cyber Security, Office of the Australian Information Commissioner, NSW Information and Privacy Commission (IPC), Australian Federal Police, Australian Cyber Security Centre, Australian Signals Directorate and Home Affairs. The NSW Police Force’s Cybercrime Squad is conducting an investigation under Strike Force GIRRAKOOL.
To protect University staff, students and stakeholders, the University sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data that is the subject of the incident. This includes data in Isilon that was accessed without authorisation.
The University’s leadership and Board have taken a number of steps to remediate the issue and further protect staff and students, including completing a password reset, enhancing detection monitoring, implementing additional firewall protection, increasing our cyber security team capacity, and reviewing data storage and retention practices.
On 31 July 2024, the University drew this public notification to the particular attention of its community in emails issued to students, staff and alumni with information about the steps they can take to protect themselves, and the support services made available to them by the University. The University also issued a media release to draw this public notification to the attention of all those who may be impacted.
The next steps
The University will endeavour to notify individuals about the impact on their personal information in the coming weeks. However, due to the volume and complexity of the data, the University will not be able to issue individual notifications to all those who may be impacted.
What action should you take?
This public notification will help ensure our community stays vigilant to any signs their data may have been accessed.
The University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to members of our community who may have questions about how to protect themselves when identity information may have been compromised.
You can find out about ways to protect your personal information by visiting www.idcare.org/wsu-incident-response. You can also contact IDCARE on 1800 595 160 and quote the reference number WESSYDPB24 or complete an online Get Help form.
Support services
For additional support services and enquiries, the University has established a dedicated phone line. The phone line details are as follows: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT). This website also has answers to additional questions you may have.
Information about your rights
If you are not satisfied with the University’s response to the incident, you can lodge a complaint or request an internal review by providing the details of your matter via email to internalreview@westernsydney.edu.au. Your email must be received within six months of the date of this public notification (31 July 2024).
If you are not satisfied with the actions taken by the University, you can lodge a complaint with the NSW Information and Privacy Commission (IPC). The IPC has more information about making a complaint as well as your review rights and can be contacted at:
Please note, this public notification will be published on the University’s public notification register from the date of publication (31 July 2024) for 12 months. This public notification will also be available on the Office of General Counsel’s website and the IPC’s website.
After the University notified approximately 7,500 impacted individuals and our community about a breach to our Microsoft Office 365 environment in May 2024, the University confirmed personal information in Isilon was also subject to unauthorised access.
The public notification will help ensure our community stay vigilant to any signs their data may have been accessed.
On 21 May 2024, Western Sydney University notified individuals impacted by unauthorised access to its Microsoft Office 365 environment.
The intrusion was identified by the University in January 2024 and quickly shut down.
The University has been investigating the impact of the unauthorised access and investing in additional remediation measures.
Since January 2024, the University undertook its due diligence to understand the nature, scope and scale of the incident, the number of individuals impacted, and to protect against further harm. This was also done in accordance with the University’s legal obligations.
The investigation has indicated that the earliest known unauthorised access to the University’s Microsoft Office 365 environment was on 17 May 2023 and included access to some email accounts and SharePoint files.
The University is working with a range of authorities, including NSW Police whose investigation is ongoing. The University has also been in ongoing contact with the Office of the Australian Information Commissioner and the NSW Information and Privacy Commission.
The College and Early Learning are also working with the Office of the Australian Information Commissioner.
Overall, approximately 7,500 individuals received notifications on 21 May 2024.
Isilon is the University’s storage platform. It hosts the University’s Desktop My Documents information, departmental shared folders, and some backup and archived data.
The College and Early Learning utilise Isilon as part of their usual operations.
Students and staff have access to their own My Documents, which includes My Documents, Desktop data, downloads, favourites and web history etc.
The My Documents folders are located on our centralised network storage, which means an individual can access their My Documents on any computer within the Western network. The desktop/laptop needs to be connected to the University’s network via a physical network cable to enable this.
The University is working with Australia’s leading digital forensics and incident response team at CyberCX and relevant authorities, including the National Office of Cyber Security, Office of the Australian Information Commissioner, NSW Information and Privacy Commission, Australian Federal Police, Australian Cyber Security Centre, Australian Signals Directorate and Home Affairs.
The NSW Police Force’s Cybercrime Squad is conducting an investigation under Strike Force GIRRAKOOL.
To protect staff, students and stakeholders, the University sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data that is the subject of the incident. This includes the data in Isilon that was accessed without authorisation.
The University’s leadership and Board have taken a number of steps to remediate the issue and further protect staff and students, including completing a password reset, enhancing detection monitoring, implementing additional firewall protection, increasing its cyber security team capacity, and reviewing data storage and retention practices.
The University is continuing to work with Australia’s leading digital forensics and incident response team at CyberCX to analyse the data that has been accessed, and our investigations are ongoing.
The University continues to engage with the authorities in relation to the perpetrator of the Isilon incident.
The University has not received any threats to disclose private information or demands in exchange for maintaining privacy.
The University has dark web monitoring in place and there is no evidence to date that the data has been uploaded.
The University’s, The College and Early Learning’s day-to-day operations have not been impacted by the incident.
This incident may impact certain staff members or students of The College. The College utilises the University’s systems as part of its usual course of operations. For this reason, the personal information of former and current staff members and students of The College may have been accessed. Impacted individuals have been, and will continued to be, notified by The College.
This incident may impact certain staff members of Early Learning. Early Learning utilises the University’s information technology systems as part of its usual course of operations. For this reason, the personal information of former and current staff members of Early Learning may have been accessed. Impacted individuals have been, and will continued to be, notified by Early Learning.
Early Learning utilises the University’s information technology systems as part of its usual course of operations.
Investigations conducted to date indicate that My Document accounts of Early Learning staff may have been subject to unauthorised access, and so families of Early Learning children who might have been impacted have received a notification.
The University will endeavour to notify individuals about the impact on their personal information in the coming weeks. However, due to the volume and complexity of the data, the University will not be able to issue individual notifications to all those who may be impacted.
If you have any other questions about this incident, please call our dedicated phone line: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).
The University, The College and Early Learning unreservedly apologise and are here to support you. We have arranged the following services for you to access:
You can find out about ways to protect your personal information by visiting www.idcare.org/wsu-incident-response. You can also contact IDCARE on 1800 595 160 and quote the reference number WESSYDPB24 or complete an online Get Help form.
We understand this incident is concerning and we apologise for the impact it is having on our community.
Please call 02 9174 6942 to speak with our dedicated team who can direct you to the most appropriate support.
If you have any other questions about this incident, please call our dedicated phone line: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).
If you are not satisfied with the University’s response to the incident, you can lodge a complaint or request an internal review by providing the details of your matter via email to internalreview@westernsydney.edu.au. Your email must be received within six months of the date of this public notification (31 July 2024).
If you are not satisfied with the actions taken by the University, you can lodge a complaint with the NSW Information and Privacy Commission (IPC). The IPC has more information about making a complaint as well as your review rights and can be contacted at:
If you are not satisfied with The College or Early Learning’s response to the incident, you can lodge a complaint to the University’s Privacy Officer privacy@westernsydney.edu.au. Your email must be received within 12 months of the date of the correspondence.
If you are not satisfied with the actions taken by The College or Early Learning, you can lodge a complaint with the Office of the Australian Information Commissioner and seek further guidance via www.oaic.gov.au.
On 31 July 2024, the University issued a public notification about unauthorised access to the University’s Isilon storage platform (Isilon), which holds the University’s My Documents information, departmental shared folders, and some backup and archived data. The College and Early Learning utilise the University’s systems as part of their usual operations, including Isilon.
At the time, we said we would be continuing to analyse the large and complex dataset to determine what impact the unauthorised access to Isilon had on individuals, and we would be issuing individual notifications shortly.
The University can confirm we started issuing individual notifications on 23 August 2024 and more will be issued in due course. The College also commenced issuing individual notifications on 25 September 2024. Early Learning commenced issuing individual notifications on 15 October.
More information about the actions the University, The College and Early Learning recommend individuals take and the support services available to them, are contained in the notification email. If you have any questions about the notification, please ring the dedicated phone line: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).
We have reported the incident to the Australian Taxation Office (ATO), so it can apply protective measures to your Tax File Number. These measures aim to detect fraudulent activity. There is nothing further you need to do, however, if you have any concerns, you may wish to contact the ATO’s specialist Client Identity Support Centre or website.
If you have any other questions about this incident, please call our dedicated phone line: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).
To help reduce the risk of identity theft or financial loss, you are strongly encouraged to apply for a replacement Driver Licence through Service NSW online or in person at a Service NSW centre.
NSW uses the national Document Verification Service (DVS) which means both your driver licence number and your driver licence card number are required to verify your identity. Thanks to an update to the Document Verification Service (DVS) on 1 September 2022, your NSW Driver Licence number will not verify through the DVS without the card number. This means you do not need to replace your licence. You should remain vigilant and for any suspicious or unexpected activities.
Your passport number cannot be used by someone else to obtain a new passport. Robust controls are in place to protect passports from identity takeover, including sophisticated facial recognition technology.
Information contained in your passport may be used for identity purposes with other government agencies and private entities. The more information exposed in an incident the greater the risk someone could use it to act on your behalf.
The following options are available to you:
If you choose to replace your passport, you should allow at least six weeks. If you’re planning to travel in the next six weeks, the Passport Office recommend travelling on your current passport and replacing it on your return. More information about applying for or replacing your passport and data breaches is available on the Australian Passport Office website (search for “replacement,” “apply” or “data breach”) or you can contact them on 131 232 Monday to Friday: 8.00 am to 5.00 pm.
For impacted individuals based overseas, please contact your nearest Australian Embassy or Consulate.
We recommend you contact the issuing authority in the relevant country for advice.
If your Citizenship certificate has been compromised, information on how to apply for a new certificate is available on the Department of Home Affairs’ website at: https://immi.homeaffairs.gov.au/citizenship/certificate.
Place a ‘block and alert’ on your NSW Birth Certificate. This will prevent criminals from using the compromised birth certificate as proof of identity through the Document Verification Service. Contact ID Support NSW to start the block and alert application by:
The University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to members of our community who may have questions about how to protect themselves when identity information may have been compromised.
IDCARE has information on actions you can take regarding the different types of PII.
Visit www.idcare.org/wsu-incident-response. You can also contact IDCARE on 1800 595 160 and quote the reference number WESSYDPB24 or complete an online Get Help form.
If you believe your information has been misused as a result of this incident, report this to ReportCyber at cyber.gov.au
If you have any other questions about this incident, please call our dedicated phone line: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).
Yes. The 31 October 2024 public notification is for a separate incident to the incidents that the University notified our community of on 21 May 2024 and 31 July 2024. More information is available at https://www.westernsydney.edu.au/publicnotification.
On 21 May 2024, Western Sydney University notified individuals impacted by unauthorised access to its IT network.
The intrusion was identified by the University in January 2024 and quickly shut down.
The University has been investigating the impact of the unauthorised access and investing in additional remediation measures.
Since January 2024, the University undertook its due diligence to understand the nature, scope and scale of the incident, the number of individuals impacted, and to protect against further harm. This was also done in accordance with the University’s legal obligations.
The investigation has indicated that the earliest known unauthorised access to the University’s Microsoft Office 365 environment was on 17 May 2023 and included access to some email accounts and SharePoint files.
Investigations also indicate that the University’s Solar Car Laboratory infrastructure may have been used as part of the incident.
Monitoring and scanning indicates that the preventative measures taken as a part of the incident response have successfully prevented any further unauthorised access.
The University is working with a range of authorities, including NSW Police whose investigation is ongoing. The University has also been in ongoing contact with the NSW Information and Privacy Commission.
Overall, approximately 7,500 individuals have received notifications either by telephone call, email, or both.
The University is continuing to investigate the incident and if further persons are affected by the unauthorised access to the University IT network, they will be notified.
Importantly, there have been no threats received by the University to disclose any of the private information which was accessed, and the University has not received any demands in exchange for maintaining privacy.
In order to protect University staff, students and stakeholders, the University has sought and been granted an injunction from the NSW Supreme Court to prevent access, use, transmission and publication of any data that was the subject of the incident.
The University unreservedly apologises for this incident and its impact on our community. It is deeply regrettable and we are committed to transparently rectifying the matter.
We appreciate that this may be upsetting, and we are here to support you as we work through this together. We have established a dedicated phone line and this website to answer any questions you might have. The phone line details are as follows: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).
Western Sydney University has notified approximately 7,500 individuals impacted by unauthorised access to its IT network.
The intrusion was identified by the University in January 2024 and quickly shut down.
The University has been investigating the impact of the unauthorised access and investing in additional remediation measures.
Since January 2024, the University undertook its due diligence to understand the nature, scope and scale of the incident, the number of individuals impacted, and to protect against further harm. This was also done in accordance with the University’s legal obligations.
The investigation has indicated that the earliest known unauthorised access to the University’s Microsoft Office 365 environment was on 17 May 2023 and included access to some email accounts and SharePoint files.
Monitoring and scanning indicates that the preventative measures, taken as a part of the incident response, have successfully prevented any further unauthorised access.
Since identifying the issue, the University has been investigating the impact of the unauthorised access and investing in additional remediation measures.
The University engaged two cyber security firms, CrowdStrike and CyberCX, to assist. They were asked to examine the extent of the breach and to advise on improvements to remediate and protect the network. These investigations remain ongoing. We have made additional changes to the network to improve its robustness and protect the student and staff information we are required to hold.
Monitoring and scanning indicates that the preventative measures, taken as a part of the incident response, have successfully prevented any further unauthorised access.
The University is working with a range of authorities, including NSW Police whose investigation is ongoing. The University has also been in ongoing contact with the NSW Information and Privacy Commission.
This incident is the subject of an ongoing NSW Police investigation. It is a complex investigation which will take time.
The University is continuing to investigate the incident and if further persons are affected by the unauthorised access to the University IT network, they will be notified.
We are grateful to our cyber teams and external cyber security experts who are working to undertake remediation of our network and to support affected parties.
Approximately 7,500 individuals have received notifications.
The University engaged two cyber security firms, CrowdStrike and CyberCX, to assist. They were asked to examine the extent of the breach and to advise on improvements to remediate and protect the network. These investigations remain ongoing. We have made additional changes to the network to improve its robustness and protect the student and staff information we are required to hold.
Monitoring and scanning indicates that the preventative measures taken, as a part of the incident response, have successfully prevented any further unauthorised access.
In order to protect University staff, students and stakeholders, the University has sought and been granted an injunction from the NSW Supreme Court to prevent access, use, transmission and publication of any data that was the subject of the incident.
The core operations of the University have not been impacted.
If you are among those affected being contacted on 21 May, you will have received an official notification from the University either by telephone call, email, or both.
The University has a number of supports in place for those impacted by this incident, including:
We understand this incident is concerning, and we apologise for the impact it is having on our community.
Please call 02 9174 6942 to speak with our dedicated team who can direct you to the most appropriate support.
If you have additional questions, please call 02 9174 6942 to speak with our dedicated team who can direct you to the most appropriate support.
Yes. The 31 October 2024 public notification is for a separate incident to the incidents that the University notified our community of on 21 May 2024 and 31 July 2024. More information is available at https://www.westernsydney.edu.au/publicnotification.