Western Sydney University discloses multiple cybersecurity breaches impacting thousands

Western Sydney University (WSU), a leading academic institution in Australia, has confirmed a series of cybersecurity breaches that compromised sensitive personal data of students, staff, and other community members. The university announced the incidents in a recent statement, revealing the scale and timeline of the intrusions.

The most recent breach occurred between January and February 2025, targeting one of the university’s single sign-on (SSO) systems. This vulnerability reportedly allowed unauthorized parties to access demographic, enrollment, and academic progression data of approximately 10,000 current and former students. According to WSU, immediate measures were taken to block the attacker once the breach was detected, and an investigation remains underway.

In a separate incident, personal information of university affiliates was found published on the dark web on November 1, 2024. However, the university only became aware of this exposure on March 24, 2025. The content of the post remains vague, but university officials noted that it appears consistent with data categories previously impacted by cyber incidents, including personally identifiable information.

Adding to the gravity of the situation, WSU also acknowledged a previously undisclosed breach that took place in May 2023. This incident, which was discovered and disclosed a year later, involved unauthorized access to the university’s Microsoft Office 365 environment, including email accounts and SharePoint files. The breach impacted around 7,500 individuals, with exposed information including names, contact details, birth dates, health records, government identification numbers, and banking details.

Further investigation into the 2023 breach revealed that threat actors had maintained access to WSU’s systems for over eight months, from July 9, 2023, to March 16, 2024. During this period, they reportedly accessed a staggering 580 terabytes of institutional data. It remains uncertain whether the data posted on the dark web in November 2024 stemmed from this breach or represents a separate incident. WSU has not yet provided clarity on the connection, and BleepingComputer has reached out to the university for comment.

In response to the wave of breaches, Vice-Chancellor and President George Williams offered a formal apology to the university community. “The University is very aware of the personal impact these incidents are having on its students, staff, and wider community,” Williams said. “On behalf of the University, I apologize to our community. Our teams are working hard to respond and strengthen our digital environment.”

Western Sydney University, which serves 47,000 students and employs over 4,500 staff members across various campuses, operates on an annual budget of approximately $600 million. The repeated breaches underscore the growing cybersecurity challenges faced by educational institutions worldwide, particularly in protecting large volumes of sensitive information across complex digital environments.