Western Sydney University (WSU) announced two security incidents that exposed personal information belonging to members of its community.
WSU is a prominent Australian institution offering various undergraduate, postgraduate, and research programs across multiple disciplines.
It serves a student body of 47,000 and employs over 4,500 permanent and seasonal staff, operating with an annual budget of approximately $600 million.
One of the incidents disclosed concerns the compromise of one of the University’s single sign-on (SSO) systems between January and February 2025.
This breach has reportedly led to the unauthorized access of demographic, enrollment, and progression information for approximately 10,000 current and former students.
The university states that it took immediate action to block the attacker once it became aware of the breach, and investigations into the incident are ongoing.
The second cybersecurity incident concerns a leak on the dark web of personal information belonging to members of the University’s community.
Although that hackers published the data on November 1, 2024, WSU only became aware of it this year on March 24.
The attacker’s wording in the post is vague, but the university’s announcement mentions that it “broadly reflects the same types of personal information outlined in previous cyber notifications.”
Between the security incidents, the educational institute suffered another data breach in May 2023, which it discovered and disclosed it a year later, informing its community that hackers had accessed its Microsoft Office 365 environment, including email accounts and SharePoint files.
That incident was later estimated to have impacted 7,500 individuals, exposing names, contact details, dates of birth, health information, government ID numbers, and bank account information.
The investigation revealed that the hackers maintained access to WSU’s networks between July 9, 2023, and March 16, 2024, obtaining access to 580 terabytes of data.
It is unclear if the post published on the dark web in November 2024 contains information stolen during that incident, or if it concerns a separate case altogether.
BleepingComputer has contacted WSU to ask for clarifications on that topic, but we are still waiting for their response.
Given the situation with repeated breaches and sensitive data leaked online, Vice-Chancellor and President George Williams issued an apology.
“The University is very aware of the personal impact these incidents are having on its students, staff, and wider community,” Williams stated.
“On behalf of the University, I apologize to our community. Our teams are working hard to respond and strengthen our digital environment.”
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
