Police investigations are underway after emails which initially appeared to have been sent by Western Sydney University claimed students’ qualifications had been revoked, that more of their personal data had been stolen, and cybersecurity gaps had been left unpatched.
The emails — sent on Monday during a public holiday in New South Wales — soon appeared on social media, where current and former students voiced their concern after previously having their personal information breached and posted on the dark web.
Western Sydney University (WSU) confirmed to Information Age on Tuesday that neither mass email was sent by the university, and said students’ qualifications had not been revoked.
WSU said the emails were “fraudulent” and some “falsely” claimed students had been excluded from the institution.
The university apologised to students “for any concern this may have caused”.
“We are reaching out to inform people that the email is fraudulent and have informed NSW Police,” a spokesperson said in a statement.
The university said it would not comment further, due to ongoing police investigations.
NSW Police confirmed detectives were investigating “an alleged data breach” and were working with WSU to contain it.
“Anyone who believes their details may have been compromised is urged to contact ReportCyber,” police said.
NSW Police would not comment on the ongoing case against former WSU student Birdie Kingston, who was granted bail in June after being arrested and charged with hacking the institution over several years.
There is no suggestion that Kingston was involved in the latest email-related incidents.
Email leaves students ‘panicked’
An email sent to some current and former WSU students on Monday night, which initially appeared to have been sent by an official university account, claimed “the decision has been made to permanently exclude you from any further study at Western Sydney University".
"As a result, any existing certificates or awards previously issued to you are hereby revoked,” it stated.
The email claimed the “decision of the Board of Trustees is final and binding” and told receivers to seek out legal advice.
“I have a sneaking suspicion this is a scam since it didn't get sent to my student email but I panicked regardless," wrote one social media user in response to the email.
"What the helly it had my student number and everything."
“Damn near gave me a HEART ATTACK I was planning to use my degree for a job overseas I thought that whole plan went down the drain,” wrote another.
WSU did not comment on whether the email had been sent using its own email systems, or if an official email address had been spoofed by fraudsters.
An email sent to current and former WSU students appeared to have come from a legitimate WSU account. Image: Reddit / Greedy-Witness5794
Mass email alleges more cybersecurity failures
A separate mass email sent on Monday — allegedly from WSU's official "parking compliance" email address — made several accusations regarding alleged cyber incidents at the institution.
The email, titled “Urgent: WSU’s Ongoing Security Flaws and Lack of Action”, accused the university of being aware of a vulnerability which allowed the browser tool known as ‘Inspect element’ to be used to manipulate sensitive information on WSU websites.
The sender, who did not include their name, said they used “the very same vulnerability” to send their Monday email to students using a WSU email account they typically would not have access to.
They also accused the university of knowing about the issue since 2017, and said it had “neglected to take meaningful action” to fix it.
"No improvements have been made, and no precautions have been implemented to ensure the security of your information,” the person wrote.
The sender also made allegations, without providing evidence, that “sensitive data” submitted through the university’s digital forms system “was hacked and stolen” in August.
“Even more alarming is the fact that WSU has not disclosed this breach to students, leaving many unaware that their personal data may have been compromised,” they wrote.
The sender also alleged some student grades had been modified without the university’s knowledge, “including cases that appear to involve direct database access”.
WSU would not comment on the claims made in the email and again cited ongoing police investigations.
UPDATE 09/10/25: In a statement on Wednesday night, Western Sydney University said the unauthorised emails were generated when "an unauthorised person accessed an automatic email generator and populated it with previously stolen information to send out the emails".
"In this case, no data was stolen and there is no perpetrator within our system," the university said.
