STUDENTS
STAFF
Search Western Sydney University website
Contact Us
Header Logo
Search Western Sydney University website
Kingswood campus Library

On 31 October 2024 Western Sydney University notified its community of unauthorised access to the University’s Student Management System and other back-end data storage systems, including the Data Warehouse from 14 August to 31 August 2024.

On 11 February 2025, the University issued a correction and an update to the public notification, confirming:

  1. The unauthorised access to these systems occurred from 14 August to 3 September, three days longer than we originally notified on 31 October 2024.
  2. Additional personally identifiable information that may have been accessed, including first in family status and parent education level. This information is required as part of the enrolment process.

The recommendations for impacted individuals remain the same and are outlined in the notification under the section ‘What action should you take?’.

The University has updated the below public notification and has again drawn this notification to the attention of our former and current students and staff of the University, The College and The International College, staff of Early Learning Ltd. 

The University is committed to keeping our community updated through our investigation process and communicating transparently. Information about the support services the University has available are detailed in the public notification below.

31 October 2024 (corrected and updated on 11 February 2025)

Western Sydney University issued this public notification on 31 October 2024, and draws this to the attention of our former and current students and staff of the University, The College and The International College, and staff of Early Learning Ltd. 

This public notification is for a separate cyber incident to the incidents that the University notified our community of on 21 May 2024 related to the University’s Microsoft Office 365 environment, and 31 July 2024 related to the University’s storage platform (Isilon), including My Documents.

The University is issuing this notification to ensure that our community stays vigilant to any signs their data may have been accessed. Please consider all of your personal information that has been impacted across all the University’s cyber incidents and take seriously the recommended actions you can take to protect yourself.

The University sincerely apologises for this incident and the ongoing impact it is having on our community. We are committed to transparently rectifying this matter and will keep our community updated as our investigation progresses.

Details of the incident

The University can confirm that an IT account was compromised which provided a perpetrator with unauthorised access to some data from the Student Management System and other back-end data storage systems including the Data Warehouse, from 14 August 2024 until 3 September 2024. 

Our investigation has confirmed names, addresses, University-issued email addresses, student identification numbers, tuition fee information (including fees deferred to HELP/HECS), student admission and enrolment data (including subject, results and progression information, and parent education level), and student demographic data (including nationality, Indigenous status, country of birth, citizenship status, gender, date of birth and first in family information) were accessed.

The University has undertaken a preliminary analysis and can also confirm the following:

  • On 27 August 2024, the University detected the unauthorised access and took immediate steps to protect our network in response.
  • On 3 September 2024, the unauthorised access was contained.
  • On 1 October 2024, the University’s investigation confirmed that personal information was accessed.
  • As at 11 February 2025, our investigation into what data from the Student Management System and Data Warehouse was accessed confirmed the personal information listed above.
  • As this investigation progresses, additional personal information may be found to have been accessed.
  • There is no evidence to date that student records have been altered.

The University has not received any threats to disclose private information or demands in exchange for maintaining privacy. The University has dark web monitoring in place and there is no evidence to date that the data has been uploaded.

The University’s investigation to date indicates the perpetrator has used sophisticated techniques to gain unauthorised access in a targeted, persistent and sustained manner.

What the University has done to secure personal information and mitigate harm

The University continues to uplift our cyber security protections in response to this cyber incident and to the separate incidents that the University became aware of earlier this year (http://www.westernsydney.edu.au/cyberincident). Our ongoing remediation work includes, but is not limited to:

  • Ongoing password resets.
  • Enhancing detection and implementing 24/7 monitoring capabilities.
  • Implementing additional firewall protection.
  • Increasing our cyber security team capacity.

Students and staff are advised that there may be ongoing disruption to the IT network as the University continues to uplift its cyber security protections. The University is not in a position to provide any further specific information about our remediation efforts to protect the ongoing security of our system.

The University is working with cyber security experts and relevant authorities across Government, including the National Office of Cyber Security, Australian Federal Police, the Australian Signals Directorate’s Australian Cyber Security Centre, and the NSW Information and Privacy Commission (IPC). The NSW Police Force’s Cybercrime Squad is also conducting an active investigation.

To protect University staff, students and stakeholders, the University sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data that is the subject of the cyber incidents notified this year. This interim injunction has been extended to include the data accessed in this incident.

Next steps

The University will endeavour to notify individuals about any further impact on their personal information as quickly as possible. This public notification will help ensure our community stays vigilant to any signs their data may have been accessed.

The University strongly recommends you review this public notification against other notifications you have received from the University, and take the below actions to protect your personal information.

What action should you take?

The University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to members of our community who may have questions about how to protect themselves when identity information may have been compromised.

If you have been impacted by the previous cyber incidents, you should take additional steps to protect your personal information. Please let IDCARE know if this is the case so they can provide you with the most appropriate advice.

You can contact IDCARE on 1800 595 160 and quote the reference number WESSYSMS24 or complete an online Get Help form via www.idcare.org/wsu-incident-response.

Support services

For additional support services and enquiries, the University has established a dedicated phone line. The phone line details are as follows: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT). This web page also has answers to additional questions you may have. See below.

Information about your rights

If you are not satisfied with the University’s response to the incident, you can lodge a complaint or request an internal review by providing the details of your matter via email to internalreview@westernsydney.edu.au. Your email must be received within six months of when you first became aware of the impact on you.

If you are not satisfied with the actions taken by the University, you can lodge a complaint with the NSW Information and Privacy Commission (IPC) within six months of when you first became aware of the impact on you. The IPC has more information about making a complaint, as well as your review rights, and can be contacted at:

Please note, this public notification will be published on the University’s public notification register from today's date (11 February 2025) for 12 months. This public notification will also be available on the Office of General Counsel’s website and the IPC’s website.

If you are a staff member or student from The College or International College or a staff member from Early Learning Ltd and you are not satisfied:

  • with the University’s response to this incident, you can lodge a complaint to the University’s Privacy Officer privacy@westernsydney.edu.au within twelve months of when you first became aware of the impact on you.
  • with the actions taken by The College, International College or Early Learning Ltd, you can lodge a complaint with the Office of the Australian Information Commissioner within twelve months of when you first became aware of the impact on you and seek further guidance via oaic.gov.au.

Frequently Asked Questions

On 11 February 2025, the Western Sydney University corrected and updated its public notification. 

On 31 October 2024 we notified you that unauthorised access to the Student Management System and other back-end data storage systems including the Data Warehouse occurred from 14 August to 31 August 2024. The University has now confirmed that unauthorised access to these systems may have continued until 3 September, three days longer than originally notified. 

The University accordingly updated its notice in line with its commitment to open and transparent communications. The University also confirmed no further action was required beyond the advice already provided on 31 October 2024. 

The University also updated the types of personally identifiable information that might have been accessed, to include first in family status and parent education level. This information is required as part of the enrolment process.

The University’s Data Warehouse is where data sourced from various systems, including student systems, engagement platforms, HR systems and financial systems, is stored.  

Other back-end systems were predominately used by the technical teams and operational staff to support the University’s day-to-day operations.

The University continues to uplift our cyber security protections in response to this cyber incident and the separate incidents the University became aware of earlier this year. Our ongoing remediation work includes, but is not limited to:

  • Ongoing password resets.
  • Enhancing detection and implementing 24/7 monitoring capabilities.
  • Implementing additional firewall protection.
  • Increasing our cyber security team capacity.

Students and staff are advised that there may be ongoing disruption to the IT network as the University continues to uplift its cyber security protections. The University is not in a position to provide any further specific information about our remediation efforts to protect the ongoing security of our system.

The University is working with cyber security experts and relevant authorities across Government, including the National Office of Cyber Security, Australian Federal Police, the Australian Signals Directorate’s Australian Cyber Security Centre, and the NSW Information and Privacy Commission (IPC). The NSW Police Force’s Cybercrime Squad is also conducting an active investigation.

To protect University staff, students and stakeholders, the University sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data that is the subject of the cyber incidents notified this year. This interim injunction has been extended to include the data accessed in this incident.

The University is continuing to work with cyber security experts to analyse the data that has been accessed, and our investigations are ongoing.

As there are ongoing investigations, including by NSW Police, the University is unable to comment any further at this point.

The University has not received any threats to disclose private information or demands in exchange for maintaining privacy. The University has dark web monitoring in place and there is no evidence to date that the data has been uploaded.

To date, the University’s investigations have confirmed no records have been altered. 

The unauthorised access to some data from the University’s Student Management System has been contained. 

To further bolster the security of the University's Student Management System, it was migrated to an external provider in September 2024. 

As part of our standard operations to continue strengthening the University’s network and systems, we asked all staff and students to reset their password to something strong in October 2024.

The University’s day-to-day operations have not been impacted by the incident.

The University will endeavour to notify individuals about impacts on their personal information as we are able to. This public notification will help ensure our community stays vigilant to any signs their data may have been accessed.

This public notification is for a separate cyber incident to the incidents that the University notified our community of on 21 May 2024 and 31 July 2024. 

The University has drawn this public notification to the attention of our former and current students and staff of the University, The College and The International College, and staff of Early Learning Ltd. 

Please consider all of the personal information that has been impacted across all the University’s cyber incidents and take seriously the recommended actions you can take to protect yourself.

The University unreservedly apologises and is here to support you.

The University strongly recommends you review the public notification against other notifications you have received from the University, and take the below actions to protect your personal information.

The University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to members of our community who may have questions about how to protect themselves when identity information may have been compromised.

If you have been impacted by the previous cyber incidents, you should take additional steps to protect your personal information. Please let IDCARE know if this is the case so they can provide you with the most appropriate advice.

You can contact IDCARE on 1800 595 160 and quote the reference number WESSYSMS24 or complete an online Get Help form via www.idcare.org/wsu-incident-response.

We have established a dedicated phone line and this website to answer any questions you might have. The phone line details are as follows: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT).

We understand this incident is concerning and we apologise for the impact it is having on our community. 

Please call 02 9174 6942 to speak with our dedicated team who can direct you to the most appropriate support.

If you are not satisfied with the University’s response to the incident, you can lodge a complaint or request an internal review. Please provide the details of your matter via email to internalreview@westernsydney.edu.au within six months of when you first became aware of the impact on you.

If you are not satisfied with the actions taken by the University, you can lodge a complaint with the NSW Information and Privacy Commission (IPC) within six months of when you first became aware of the impact on you. The IPC has more information about making a complaint, as well as your review rights, and can be contacted at: 

Please note, this public notification will be published on the University’s public notification register from today’s date (11 February 2025) for 12 months. This public notification will also be available on the Office of General Counsel’s website and the IPC’s website.

If you are a staff member or student from The College or International College or a staff member from Early Learning Ltd and you are not satisfied with: 

  • the University’s response to this incident, you can or lodge a complaint to the University’s Privacy Officer privacy@westernsydney.edu.au within twelve months of when you first became aware of the impact on you.
  • the actions taken by The College, International College or Early Learning Ltd, you can lodge a complaint within twelve months of when you first became aware of the impact on you with the Office of the Australian Information Commissioner and seek further guidance via oaic.gov.au.

No, the recommendations for impacted individuals remain the same.

The University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to members of our community who may have questions about how to protect themselves when identity information may have been compromised.

If you have been impacted by the previous cyber incidents, you should take additional steps to protect your personal information. Please let IDCARE know if this is the case so they can provide you with the most appropriate advice.

You can contact IDCARE on 1800 595 160 and quote the reference number WESSYSMS24 or complete an online Get Help form via www.idcare.org/wsu-incident-response.