Western Sydney University Confirms Data Security Breach Affecting Students and Staff

Western Sydney University said it suffered a significant data security incident earlier this year that compromised the sensitive personal data of its students and staff.

 

Western Sydney University (WSU) is a prominent academic institution in Australia serving approximately 47,000 students and employing over 4,500 staff members across multiple campuses. The university operates with an annual budget of around $600 million.

 

In a data security incident notice published on its website, WSU said that in August, it detected two instances of unauthorised activity in its student management platform, which is hosted by a third-party service provider. The University immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“The University identified two instances of unusual activity on 6 August 2025 and 11 August 2025. This activity occurred on the University’s Student Management System, hosted by a third-party provider on a cloud-based platform.

 

“An investigation commenced immediately, and the University directed the third-party provider to shut down access to its platform. The investigation confirmed that unauthorised access to this system was obtained through a further external system linked to that platform between 19 June 2025 and 3 September 2025,” WSU said.

 

“Unauthorised entry through these third and fourth party systems enabled personal information to be accessed and exfiltrated from the University’s Student Management System.

 

“The University’s investigations confirm that the fraudulent emails which were sent to some community members on 6 October 2025 used data stolen in this incident,” WSU added.

 

The compromised data included names, dates of birth, addresses, email addresses, phone numbers, student or staff IDs, employment and payroll details, bank account details, tax file numbers, driver licence details, passport details and more.

 

After detecting the incident, the University promptly informed NSW Police and relevant regulators. Police requested that notification to the community be delayed to avoid impacting investigations. The security notice is now approved for release to offer recipients and current and former students and staff of the University, The College, The International College, and Early Learning Ltd.

 

The University has advised affected individuals to change their personal and University email passwords. If the same password is used for other accounts, such as banking, utilities, or social media, those passwords should be reset too.