University of Sydney data breach impacted over 27,000 staff and students

The University of Sydney said it suffered a serious data breach last week that compromised the personal information of more than 27,000 current and former staff members, students and affiliate members.

In an official press release, the University’s vice president of operations, Nicole Gower, said the university was recently alerted about unauthorised access to an online code library which contained a historical data file that stored the personal information of tens of thousands of staff members, alumni and students as of September 2018.

The compromised data file, accessed and downloaded by hackers, included the affected people’s names, dates of birth, phone numbers, home addresses and their basic job information. According to Gower, around 10,000 staff members and affiliates are still employed by the University.

"We have notified relevant government authorities and are working with our cyber security partners to fully understand the scope of the situation," Gower said, adding that the University aims to complete full assessment of file reviews by January 2026 to get a clear picture of the true impact of the data breach and the number of people whose data was accessed.

"We took immediate action to protect our systems and community by blocking the unauthorised access and securing the environment," Gower continued. "While the data has been accessed and downloaded, there is currently no evidence it has been used or published. We are actively monitoring for any signs of use or publication and, should this occur, we will update you immediately."

Though the threat actors gained complete access to the University’s online code libraries and development code, Gower did not deliberate on the impact of the data security incident on the functioning of the University’s websites and applications.

"The identified datasets have been purged from the code library, and we are now investigating what further actions are necessary to ensure ongoing best practice," she added.

The incident follows the University of Sydney suffering another major data breach in September 2023 when threat actors breached a third-party service provider to gain access to personal information of recently applied and enrolled international applicants. The University did not announce the number of individuals affected by the incident at that time.

Established in 1850, the University of Sydney accommodates nearly 70,000 students and employs approximately 8,500 academic and administrative personnel. Recognised as one of Australia’s most prestigious educational institutes, the university plays a vital role in the nation’s academic landscape.