Western Sydney University (WSU) has confirmed passport and tax file numbers were among the details exposed online following a former student’s alleged years-long hacking spree.

In April, WSU announced the data of approximately 10,000 current and former students had been “subject to unauthorised access” after a threat actor gained access to one of its systems.

On Thursday, the university confirmed a slew of stolen data had been published online, including but not limited to names, dates of birth, email addresses, phone numbers, student admission and enrolment details, and tax file numbers.

WSU also conceded identity documents provided to the university – such as passport numbers, driver license details and visa information – had been impacted.

“Our university has been relentlessly targeted in a string of attacks on our network,” said WSU vice-chancellor and president, George Williams.

“This has taken a considerable toll on our community, and for that, I am deeply sorry.”

The university saw three posts crop up between 4 and 8 June: one on the dark web and two on the everyday, open internet.

These posts linked to fileshare sites which hosted a dataset for download, though the university confirmed “all datasets had been taken down” by 20 June.

“We ask that our community remains alert to any suspicious activity, and that they take action when asked to,” said Williams.

Former student charged after repeated hacks

Williams also thanked NSW Police for charging a former WSU student “in relation to cyber offences”.

His statement arrived some two months after 27-year-old Birdie Kingston was arrested at her home in Kingswood, NSW and charged with 20 offences, including blackmail and accessing and modifying restricted data.

The former student allegedly accessed the school’s servers for the first time in 2021 to score free parking on campus.

Police have not confirmed whether WSU’s latest incident is linked to Kingston, though according to 9News she was eventually accused of holding the university’s staff and student data to a $40,000 ransom.

Kingston was released on bail in late June after a judge revoked her internet access and demanded she make daily reports to police.

She is expected to return to court in late September.

“As that matter is now before the court, I cannot make any further comment other than to say the university will continue to assist police with their investigations,” said Williams.

Leaked data taken down

WSU said it successfully issued takedown notices to the two fileshare sites on the open web “within hours of detecting the posts”.

“By 8 June 2025, those datasets had been removed,” WSU wrote.

WSU said the posts breached an NSW Supreme Court interim injunction which, as of last year, prohibited access, use, transmission and publication of any data subject to unauthorised access.

Such injunctions have become commonplace in cybersecurity incident responses – similar orders were granted for recent breaches at the likes of IVF provider Genea Fertility, airline Qantas and law firm HWL Ebsworth.

As for the data shared to the dark web, WSU emphasised “it is not possible to issue takedown notices to dark web forums”.

The data was no longer accessible online as of 20 June, though a separate dark web post from November 2024 has offered to sell alleged data from the school’s student management system, and at the time of writing, remains live.

Further to its data breach which impacted 10,000 students this year, WSU reported at least three major cybersecurity incidents in 2024, including breaches of its student management system, the university’s Microsoft Office 365 environment, and a third-party storage platform.