Register of Public Notifications

Public notification: Western Sydney University’s cyber incident - 28 August 2025

This public notification is to inform Western Sydney University’s community that previously stolen personal information was unlawfully published on the open web and dark web, and to outline the steps people can take to protect themselves.

The University’s enhanced cyber capabilities have detected the unlawful publication of personal information that was stolen through two previous cyber incidents:

• the Student Management System and other storage systems incident, notified on 31 October 2024, corrected on 11 February 2025; and
• the single sign-on (SSO) systems incident, announced on 10 and 15 April 2025.

This public notification is for the attention of former and current students and staff of the University, The College, The International College, and staff of Early Learning Ltd., including those who were impacted by the cyber incidents mentioned above.

The University sincerely apologises for the impact of these incidents on its community and remains committed to transparent communication and rectifying this matter as quickly as possible.

Details of the unauthorised disclosures

Dark web post – November 2024 (Student Management System and other storage systems incident)

On 10 and 15 April 2025, Western Sydney University informed its community of a dark web post purporting to contain personal information belonging to people in the University community.

The University has undertaken an extensive investigation in conjunction with the digital forensic experts and can confirm the following:

• On 24 March 2025, as a result of its continued investment in cyber capabilities, the University identified a dark web post dated 1 November 2024.
• The dark web post contains a set of sample data available to download, and mentions a larger dataset available for purchase. The University securely downloaded the sample data and undertook forensic analysis which confirmed it contained legitimate University data. The University did not purchase the larger dataset as it does not participate in the proceeds of crime and will not pay for information that has been unlawfully obtained.
• Forensic analysis indicates the source of the sample dataset and the larger dataset offered for sale on the dark web post is likely the cyber incident the University notified its community of on 31 October 2024.
• The sample dataset has been accessible from 1 November 2024 and remains live. The nature of the dark web means it is not possible to issue takedown notices to dark web forums.

Open and dark web posts – June 2025 (SSO incident)

Between 4-8 June 2025, two open web posts and one dark web post went live, linking to three fileshare sites hosting a dataset available for download. By 20 June 2025, all datasets had been taken down.

The University’s extended cyber monitoring detected these open web and dark web posts within eight hours of going live. Investigations have confirmed the following:

• The source of the datasets has been confirmed as the single sign-on (SSO) incident which the University announced on 10 April 2025, and individual notifications were sent on 15 April 2025.
• All posts were in breach of the NSW Supreme Court interim injunction the University was granted last year.
• The University issued takedown notices to the two open web fileshare sites within hours of detection and by 8 June 2025, those datasets had been removed.
• By 20 June 2025, the third dataset was no longer accessible.

Impacted personal information

The types of personal information which have been unlawfully published includes:

• Name / Former name
• Address
• Date of birth
• Sex
• Gender
• Landline and mobile phone numbers
• University-issued email addresses
• Non-University issued email addresses
• WSU student identification numbers
• Tax File Numbers (TFN)
• Australian passport numbers
• International passport numbers
• Australian visa numbers
• Drivers licence numbers
• Bank account information
• Sensitive information relating to health and wellbeing
• University Admissions Centre (UAC) identification and reference numbers
• Unique Student Identifiers (USI)
• Commonwealth Higher Education Student Support Numbers (CHESSN)
• Tuition fee information, including fees deferred to HELP/HECS
• Student admission and enrolment data including:
  • Subject
  • Results and progression information
  • Parent education level

• Student demographic data including:
  • Nationality
  • Indigenous status
  • Country of birth
  • Citizenship status
  • Visa type
  • First in family information
• Culturally and Linguistically Diverse (CALD) / Aboriginal and Torres Strait Islander (ATSI) / Socio-Economic Status (SES) background indicators
• WSU employee data including employment basis and award salary level
• WSU employee identification numbers

Action you should takeThe University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to those who may have questions about how to protect themselves when their identity information has been compromised.

If you have taken steps to protect your personal information following the previous cyber incidents, there may be additional steps you should take. Please let IDCARE know if this is the case so they can provide you with the most appropriate advice.

You can contact IDCARE on 1800 595 160 and quote the reference number WESSYDWP25 or complete an online Get Help form via www.idcare.org/wsu-incident-response.

Additional support services

• Cyber incident website: A dedicated website has been published with information about cyber incidents impacting the University community, including answers to questions you might have and general information about cyber security and incident management. This is available at: www.westernsydney.edu.au/cyberdetails
• University phone line: The University has a phone line to support enquiries about this notice. They will be able to direct you to the appropriate supports available. Phone: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEST)

• Information and Privacy Commission NSW (IPC): The IPC also has a range of useful resources and support available on their website at www.ipc.nsw.gov.au/privacy/resources-citizens/data-breach-support
• ReportCyber: If you believe your information has been misused as a result of this incident, report this at www.cyber.gov.au

Information about your rights

If you are not satisfied with the University’s response to the incident, you can lodge a complaint or request an internal review by providing the details of your matter via email to internalreview@westernsydney.edu.au. An internal review is a fact finding investigation into your privacy complaint and how an incident has affected you. Your email must be received within six months of when you first became aware of the impact on you.

If you are not satisfied with the actions taken by the University, you can lodge a complaint with the IPC within six months of when you first became aware of the impact on you. The IPC has more information about making a complaint, as well as your review rights, and can be contacted at:

• Phone: 1800 472 679
• Email: ipcinfo@ipc.nsw.gov.au
• Post: GPO Box 7011, Sydney NSW 2001
• Website: ipc.nsw.gov.au

Please note, this public notification will be published on the University’s public notification register from today's date (28 August 2025) for 12 months. This public notification will also be available on the Office of General Counsel’s website and the IPC’s website.

If you are a staff member or student from The College or International College or a staff member from Early Learning Ltd and you are not satisfied:

• With the University’s response to this incident, you can lodge a complaint to the University’s Privacy Officer privacy@westernsydney.edu.au within 12 months of when you first became aware of the impact on you.
• With the actions taken by The College, International College or Early Learning Ltd, you can lodge a complaint with the Office of the Australian Information Commissioner within 12 months of when you first became aware of the impact on you and seek further guidance via oaic.gov.au.

What the University has done to secure personal information and mitigate harm

The University continues to uplift its cyber security protections and implement a comprehensive remediation program with the highest priority. This includes, but is not limited to:

• Ongoing password hygiene.
• Enhancing detection and implementing 24/7 monitoring capabilities.
• Implementing additional firewall protection.
• Increasing the cyber security team capacity.
• Rollout of a new Multi-Factor Authentication (MFA) platform for staff ensuring more secure access across our systems, with student implementation underway.
• Appointing a senior risk advisor to strengthen cyber governance and oversight.
• Other enhancements including a new cyber threat intelligence capability.

The University has been working closely with NSW Police Force Cybercrime Squad’s Strike Force Docker. On 25 June 2025, NSW Police arrested and charged a former student of the University. NSW Police allege this former student was involved in the unauthorised access to our systems and threatened to sell confidential information on the dark web.

The interim injunction previously granted to the University by the NSW Supreme Court continues to prohibit transmission, publication and use of any information or material obtained by the former student in an unauthorised manner from the University’s IT systems and network between March 2021 and June 2025.

The University continues to work with cyber security experts and relevant authorities across Government, including the National Office of Cyber Security, Australian Federal Police and the Australian Signals Directorate’s Australian Cyber Security Centre.

Next steps

The University will endeavour to notify individuals about specific impacts on their personal information where possible. This public notification will help ensure the University community stays vigilant to any signs their data may have been accessed.

The University advises its community to review this public notification against other notifications, and to take the recommended actions to protect your personal information.

For more information about the University’s cyber incidents, and to access the support services available, please visit the dedicated webpage here.

Public notification: Western Sydney University's cyber incident - 31 October 2024 - as corrected on 11 February 2025

On 31 October 2024 Western Sydney University notified its community of unauthorised access to the University’s Student Management System and other back-end data storage systems, including the Data Warehouse from 14 August to 31 August 2024.

On 11 February 2025, the University issued a correction and an update to the public notification, confirming:

1. The unauthorised access to these systems occurred from 14 August to 3 September, three days longer than we originally notified on 31 October 2024.
2. Additional personally identifiable information that may have been accessed, including first in family status and parent education level. This information is required as part of the enrolment process.

The recommendations for impacted individuals remain the same and are outlined in the notification under the section ‘What action should you take?’.

The University has updated the below public notification and has again drawn this notification to the attention of our former and current students and staff of the University, The College and The International College, staff of Early Learning Ltd.

The University is committed to keeping our community updated through our investigation process and communicating transparently. Information about the support services the University has available are detailed in the public notification below.

31 October 2024 (corrected and updated on 11 February 2025)

Western Sydney University issued this public notification on 31 October 2024, and draws this to the attention of our former and current students and staff of the University, The College and The International College, and staff of Early Learning Ltd.

This public notification is for a separate cyber incident to the incidents that the University notified our community of on 21 May 2024 related to the University’s Microsoft Office 365 environment, and 31 July 2024 related to the University’s storage platform (Isilon), including My Documents.

The University is issuing this notification to ensure that our community stays vigilant to any signs their data may have been accessed. Please consider all of your personal information that has been impacted across all the University’s cyber incidents and take seriously the recommended actions you can take to protect yourself.

The University sincerely apologises for this incident and the ongoing impact it is having on our community. We are committed to transparently rectifying this matter and will keep our community updated as our investigation progresses.

Details of the incident

The University can confirm that an IT account was compromised which provided a perpetrator with unauthorised access to some data from the Student Management System and other back-end data storage systems including the Data Warehouse, from 14 August 2024 until 31 August 2024. 

Our investigation has confirmed names, addresses, University-issued email addresses, student identification numbers, tuition fee information (including fees deferred to HELP/HECS), student admission and enrolment data (including subject, results and progression information, and parent education level), and student demographic data (including nationality, Indigenous status, country of birth, citizenship status, gender, date of birth and first in family information) were accessed.

The University has undertaken a preliminary analysis and can also confirm the following:

• On 27 August 2024, the University detected the unauthorised access and took immediate steps to protect our network in response.
• On 31 August 2024, the unauthorised access was contained.
• On 1 October 2024, the University’s investigation confirmed that personal information was accessed.
• As at 11 February 2025, our investigation into what data from the Student Management System and Data Warehouse was accessed confirmed the personal information listed above.
• As this investigation progresses, additional personal information may be found to have been accessed.
• There is no evidence to date that student records have been altered.

The University has not received any threats to disclose private information or demands in exchange for maintaining privacy. The University has dark web monitoring in place and there is no evidence to date that the data has been uploaded.

The University’s investigation to date indicates the perpetrator has used sophisticated techniques to gain unauthorised access in a targeted, persistent and sustained manner.

What the University has done to secure personal information and mitigate harm

The University continues to uplift our cyber security protections in response to this cyber incident and to the separate incidents that the University became aware of earlier this year (http://www.westernsydney.edu.au/cyberincident). Our ongoing remediation work includes, but is not limited to:

• Ongoing password resets.
• Enhancing detection and implementing 24/7 monitoring capabilities.
• Implementing additional firewall protection.
• Increasing our cyber security team capacity.

Students and staff are advised that there may be ongoing disruption to the IT network as the University continues to uplift its cyber security protections. The University is not in a position to provide any further specific information about our remediation efforts to protect the ongoing security of our system.

The University is working with cyber security experts and relevant authorities across Government, including the National Office of Cyber Security, Australian Federal Police, the Australian Signals Directorate’s Australian Cyber Security Centre, and the NSW Information and Privacy Commission (IPC). The NSW Police Force’s Cybercrime Squad is also conducting an active investigation.

To protect University staff, students and stakeholders, the University sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data that is the subject of the cyber incidents notified this year. This interim injunction has been extended to include the data accessed in this incident.

Next steps

The University will endeavour to notify individuals about any further impact on their personal information as quickly as possible. This public notification will help ensure our community stays vigilant to any signs their data may have been accessed.

The University strongly recommends you review this public notification against other notifications you have received from the University, and take the below actions to protect your personal information.

What action should you take?

The University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to members of our community who may have questions about how to protect themselves when identity information may have been compromised.

If you have been impacted by the previous cyber incidents, you should take additional steps to protect your personal information. Please let IDCARE know if this is the case so they can provide you with the most appropriate advice.

You can contact IDCARE on 1800 595 160 and quote the reference number WESSYSMS24 or complete an online Get Help form via www.idcare.org/wsu-incident-response.

Support services

For additional support services and enquiries, the University has established a dedicated phone line. The phone line details are as follows: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT). This web page also has answers to additional questions you may have. See below.

Information about your rights

If you are not satisfied with the University’s response to the incident, you can lodge a complaint or request an internal review by providing the details of your matter via email to internalreview@westernsydney.edu.au. Your email must be received within six months of when you first became aware of the impact on you.

If you are not satisfied with the actions taken by the University, you can lodge a complaint with the NSW Information and Privacy Commission (IPC) within six months of when you first became aware of the impact on you. The IPC has more information about making a complaint, as well as your review rights, and can be contacted at:

• Phone: 1800 472 679
• Email: ipcinfo@ipc.nsw.gov.au
• Post: GPO Box 7011, Sydney NSW 2001
• Website: ipc.nsw.gov.au

Please note, this public notification will be published on the University’s public notification register from today's date (11 February 2025) for 12 months. This public notification will also be available on the Office of General Counsel’s website and the IPC’s website.

If you are a staff member or student from The College or International College or a staff member from Early Learning Ltd and you are not satisfied:

• with the University’s response to this incident, you can lodge a complaint to the University’s Privacy Officer privacy@westernsydney.edu.au within twelve months of when you first became aware of the impact on you.
• with the actions taken by The College, International College or Early Learning Ltd, you can lodge a complaint with the Office of the Australian Information Commissioner within twelve months of when you first became aware of the impact on you and seek further guidance via oaic.gov.au.

For more information about the University’s cyber incident, and to access the support services available, please visit the dedicated webpage here.

Public notification: Western Sydney University’s cyber incident - 31 October 2024

Western Sydney University issued this public notification on 31 October 2024, and draws this to the attention of our former and current students and staff of the University, The College and The International College, and staff of Early Learning Ltd.

This public notification is for a separate cyber incident to the incidents that the University notified our community of on 21 May 2024 related to the University’s Microsoft Office 365 environment, and 31 July 2024 related to the University’s storage platform (Isilon), including My Documents.

The University is issuing this notification to ensure that our community stays vigilant to any signs their data may have been accessed. Please consider all of your personal information that has been impacted across all the University’s cyber incidents and take seriously the recommended actions you can take to protect yourself.

The University sincerely apologises for this incident and the ongoing impact it is having on our community. We are committed to transparently rectifying this matter and will keep our community updated as our investigation progresses.

Details of the incident

The University can confirm that an IT account was compromised which provided a perpetrator with unauthorised access to some data from the Student Management System and other back-end data storage systems including the Data Warehouse, from 14 August 2024 until 31 August 2024.

Our investigation has confirmed names, addresses, University-issued email addresses, student identification numbers, tuition fee information (including fees deferred to HELP/HECS), student admission and enrolment data (including subject, results and progression information), and student demographic data (including nationality, Indigenous status, country of birth, citizenship status, gender and date of birth) were accessed.

The University has undertaken a preliminary analysis and can also confirm the following:

• On 27 August 2024, the University detected the unauthorised access and took immediate steps to protect our network in response.
• On 31 August 2024, the unauthorised access was contained.
• On 1 October 2024, the University’s investigation confirmed that personal information was accessed.
• As at 31 October 2024, our investigation into what data from the Student Management System and Data Warehouse was accessed confirmed the personal information listed above.
• As this investigation progresses, additional personal information may be found to have been accessed.
• There is no evidence to date that student records have been altered.

The University has not received any threats to disclose private information or demands in exchange for maintaining privacy. The University has dark web monitoring in place and there is no evidence to date that the data has been uploaded.

The University’s investigation to date indicates the perpetrator has used sophisticated techniques to gain unauthorised access in a targeted, persistent and sustained manner.

What the University has done to secure personal information and mitigate harm

The University continues to uplift our cyber security protections in response to this cyber incident and to the separate incidents that the University became aware of earlier this year (http://www.westernsydney.edu.au/cyberincident). Our ongoing remediation work includes, but is not limited to:

• Ongoing password resets.
• Enhancing detection and implementing 24/7 monitoring capabilities.
• Implementing additional firewall protection.
• Increasing our cyber security team capacity.

Students and staff are advised that there may be ongoing disruption to the IT network as the University continues to uplift its cyber security protections. The University is not in a position to provide any further specific information about our remediation efforts to protect the ongoing security of our system.

The University is working with cyber security experts and relevant authorities across Government, including the National Office of Cyber Security, Australian Federal Police, the Australian Signals Directorate’s Australian Cyber Security Centre, and the NSW Information and Privacy Commission (IPC). The NSW Police Force’s Cybercrime Squad is also conducting an active investigation.

To protect University staff, students and stakeholders, the University sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data that is the subject of the cyber incidents notified this year. This interim injunction has been extended to include the data accessed in this incident.

Next steps

The University will endeavour to notify individuals about any further impact on their personal information as quickly as possible. This public notification will help ensure our community stays vigilant to any signs their data may have been accessed.

The University strongly recommends you review this public notification against other notifications you have received from the University, and take the below actions to protect your personal information.

What action should you take?

The University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to members of our community who may have questions about how to protect themselves when identity information may have been compromised.

If you have been impacted by the previous cyber incidents, you should take additional steps to protect your personal information. Please let IDCARE know if this is the case so they can provide you with the most appropriate advice.

You can contact IDCARE on 1800 595 160 and quote the reference number WESSYSMS24 or complete an online Get Help form via www.idcare.org/wsu-incident-response.

Support services

For additional support services and enquiries, the University has established a dedicated phone line. The phone line details are as follows: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEDT). This web page also has answers to additional questions you may have. See below.

Information about your rights

If you are not satisfied with the University’s response to the incident, you can lodge a complaint or request an internal review by providing the details of your matter via email to internalreview@westernsydney.edu.au. Your email must be received within six months of the date of this public notification (31 October 2024).

If you are not satisfied with the actions taken by the University, you can lodge a complaint with the NSW Information and Privacy Commission (IPC). The IPC has more information about making a complaint, as well as your review rights, and can be contacted at:

• Phone: 1800 472 679
• Email: ipcinfo@ipc.nsw.gov.au
• Post: GPO Box 7011, Sydney NSW 2001
• Website: ipc.nsw.gov.au

Please note, this public notification will be published on the University’s public notification register from the date of publication (31 October 2024) for 12 months. This public notification will also be available on the Office of General Counsel’s website and the IPC’s website.

If you are a staff member or student from The College or International College or a staff member from Early Learning Ltd and you are not satisfied with the University’s response to this incident, you can lodge a complaint to the University’s Privacy Officer privacy@westernsydney.edu.au. Your email must be received within 12 months of the date of this email.

If you are not satisfied with the actions taken by The College, International College or Early Learning Ltd, you can lodge a complaint with the Office of the Australian Information Commissioner and seek further guidance via www.oaic.gov.au.

For more information about the University’s cyber incident, and to access the support services available, please visit the dedicated webpage here.

Public notification: Western Sydney University’s cyber incident - 31 July 2024

Since unauthorised access to Western Sydney University’s IT network was discovered in January 2024, the University has been undertaking forensic investigations in line with our due diligence and legal obligations to determine the full nature, scope and scale of the incident.

As a result of the ongoing investigations, the University issued this public notification on 31 July 2024 about unauthorised access to the University’s storage platform, known as the Isilon storage platform (Isilon). In particular, the University is drawing this public notification to the attention of our University community, which includes but is not limited to, our former and current students and staff.

The University unreservedly apologises for this incident and the impact it is having on our community. The University is committed to transparently rectifying this matter and will keep our community updated as our investigation progresses.

Update on the ongoing investigation

After the University notified approximately 7,500 impacted individuals and our community about a breach to our Microsoft Office 365 environment in May 2024, the University confirmed personal information in Isilon was also subject to unauthorised access. Isilon holds My Documents information, departmental shared folders, and some backup and archived data.

We have been and will continue to analyse the very large and complex dataset to properly understand the impact the unauthorised access to Isilon has had on individuals’ personal information. The University is now in a position to confirm:

• There is evidence of access to approximately 580 terabytes of data across 83 of the 400 directories in Isilon.
• The investigation to date indicates unauthorised access to Isilon occurred between 9 July 2023 and 16 March 2024.
• Our initial review of Isilon has found personally identifiable information (PII) was accessed, including names, contact details, dates of birth, health information, sensitive information relating to workplace conduct and health and safety matters, government identification documents, tax file numbers, superannuation details and bank account information.

Based on its forensic investigation to date, the University has no evidence that this incident extends beyond the University’s Microsoft Office 365 and Isilon environments.

The University has not received any threats to disclose private information or demands in exchange for maintaining privacy. The University has dark web monitoring in place and there is no evidence to date that the data has been uploaded.

The University has not detected any further unauthorised access to Isilon since remediation work took place. The University continues to engage with the authorities in relation to the perpetrator of the Isilon incident.

What steps the University has taken

The University is working with Australia’s leading digital forensics and incident response team at CyberCX and relevant authorities, including the National Office of Cyber Security, Office of the Australian Information Commissioner, NSW Information and Privacy Commission (IPC), Australian Federal Police, Australian Cyber Security Centre, Australian Signals Directorate and Home Affairs. The NSW Police Force’s Cybercrime Squad is conducting an investigation under Strike Force GIRRAKOOL.

To protect University staff, students and stakeholders, the University sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data that is the subject of the incident. This includes data in Isilon that was accessed without authorisation.

The University’s leadership and Board have taken a number of steps to remediate the issue and further protect staff and students, including completing a password reset, enhancing detection monitoring, implementing additional firewall protection, increasing our cyber security team capacity, and reviewing data storage and retention practices.

On 31 July 2024, the University drew this public notification to the particular attention of its community in emails issued to students, staff and alumni with information about the steps they can take to protect themselves, and the support services made available to them by the University. The University also issued a media release to draw this public notification to the attention of all those who may be impacted.

The next steps

The University will endeavour to notify individuals about the impact on their personal information in the coming weeks. However, due to the volume and complexity of the data, the University will not be able to issue individual notifications to all those who may be impacted.

What action should you take?

This public notification will help ensure our community stays vigilant to any signs their data may have been accessed.

The University has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to members of our community who may have questions about how to protect themselves when identity information may have been compromised.

You can find out about ways to protect your personal information by visiting www.idcare.org/wsu-incident-response. You can also contact IDCARE on 1800 595 160 and quote the reference number WESSYDPB24 or complete an online Get Help form.

Support services

For additional support services and enquiries, the University has established a dedicated phone line. The phone line details are as follows: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEST). This website also has answers to additional questions you may have.

Information about your rights

If you are not satisfied with the University’s response to the incident, you can lodge a complaint or request an internal review by providing the details of your matter via email to internalreview@westernsydney.edu.au. Your email must be received within six months of the date of this public notification (31 July 2024).

If you are not satisfied with the actions taken by the University, you can lodge a complaint with the NSW Information and Privacy Commission (IPC). The IPC has more information about making a complaint as well as your review rights and can be contacted at:

• Phone: 1800 472 679
• Email: ipcinfo@ipc.nsw.gov.au

• Post: GPO Box 7011, Sydney NSW 2001
• Website: www.ipc.nsw.gov.au

Please note, this public notification will be published on the University’s public notification register from the date of publication (31 July 2024) for 12 months. This public notification will also be available on the Office of General Counsel’s website and the IPC’s website.

For more information about the University’s cyber incident, and to access the support services available, please visit the dedicated webpage here.