Students and staff have had their sensitive information stolen in the latest of a series of cyberattacks plaguing Western Sydney University (WSU).
Last week, WSU told its community a new round of personal information had been “impacted by a cyber incident”.
For students and staff, this meant a threat actor had gotten their hands on some of the most sensitive details possible, including tax file numbers, bank account details, passport and driver licence details, visa information, health and disability information, and more.
Other personal information included contact information – namely addresses, email addresses and phone numbers – along with names, dates of births, ethnicities, and student and staff IDs.
“Attempts to gain unauthorised access to our systems have continued, including via external parties that supply IT services to the University,” said WSU vice-chancellor and president George Williams.
The university said it had identified two instances of “unusual activity” on 6 August and 11 August 2025 – both of which occurred on a student management system which had been hosted by a third-party provider using a cloud-based platform.
After discovering the suspicious activity, the university said it commenced an investigation “immediately” and directed its third-party supplier to “shut down access” to its platform.
Investigations ultimately found a daisy-chain of suppliers had been exploited during the breach, starting at an additional external system which itself was linked to the third-party cloud platform between 19 June 2025 and 3 September 2025.
“Unauthorised entry through these third- and fourth-party systems enabled personal information to be accessed and exfiltrated from the University’s Student Management System,” wrote WSU.
The university has notified victims of the incident, including staff, course offer recipients and former and current students.
“I want to again apologise for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community,” said Williams.
Information Age understands the latest data breach marks at least the fifth significant cybersecurity incident WSU has suffered since 2023.
Mounting cybersecurity pressures
Further to his latest apology, Williams said the university was “working closely” with the NSW Police Cybercrime Squad’s Strike Force Docker, an outfit which has been collaborating with Australian Federal Police and WSU to investigate the string of cyberattacks targeting the school.
WSU logs its ongoing cyber incidents on a dedicated web page. Source: WSU
WSU reported three separate security incidents last year alone: a breach which involved a compromised IT account, a breach which impacted the university’s Microsoft Office 365 environment, and another which saw its storage platform accessed between July 2023 and March 2024.
Data related to the university started to appear online as early as January 2024, while a further 10,000 current and former students were caught in another cyberattack which occurred in early 2025.
In September, the university confirmed stolen student data had appeared on both the dark web and clear web – leading Williams to apologise for the “considerable toll” its string of targeted attacks had taken on the community.
The university’s most recent data breach was also linked to an October email scam campaign which tried to fool current and former WSU into believing their qualifications and university placements had been revoked.
Some students found these scam emails contained their legitimate student numbers, while a threat actor later claimed they were able to perform the scam using a legitimate WSU email account thanks to a simple, ongoing web vulnerability.
“In recent weeks, it has become clear that these incidents are intended to harm our community,” said Williams.
“We encourage all students, staff and alumni who receive notifications to take the recommended actions, regardless of steps taken in the past, and to use the support services available.”
Former student haunts WSU
WSU’s recent data breach follows the arrest of Birdie Kingston – a former student charged with hacking the school over several years.
While neither NSW Police nor WSU confirmed who may have been responsible for the latest attack, Williams made explicit reference to Kingston.
“On 25 June 2025, NSW Police arrested and charged a former student of the University,” said Williams.
“Despite this, attempts to gain unauthorised access to our systems have continued.”
Kingston faces more than 20 charges at the time of writing.
Williams emphasised the university’s “ongoing efforts” to strengthen its cybersecurity, while the NSW Supreme Court has granted an interim injunction to “prohibit transmission, publication and use” of any information obtained by the former student in an unauthorised manner from the institution's IT systems and network.
