Western Sydney University has again been targeted in a cyber breach. In a statement released on Thursday, the university said demographic, enrolment and course progress information had been taken.

In a separate incident, “personal information belonging to the university community” was discovered on the dark web in late March – the information had been online for almost five months.

It is unclear if the information was for sale or posted as a whole.

A university spokesperson said the matter was under police investigation and could not be elaborated on.

A court injunction granted by the courts last year prevents any stolen university data being accessed, used, transmitted or published.

“As impacted individuals are identified, we will notify them and explain the steps those individuals should take to protect themselves,” a university spokesperson said in a statement.

“To protect its staff, students and community, the university has previously sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data associated with (a prior stolen data, dark web) post.”

The NSW cybercrime police squad is investigating the incidents.

The latest theft of thousands of students’ data was perpetrated through one of the university’s single sign-on (SSO) systems earlier this year.

“As soon as the unauthorised access was detected, our internal and third-party cyber experts immediately began working to shut down the perpetrator’s access to our system in real time. I’d like to thank our expert teams for their rapid and professional response,” the university spokesperson said.

“The university expects to notify approximately 10,000 current and former students next week whose information was subject to unauthorised access that occurred in January and February 2025.”

Western Sydney University has been hit by a string of data thefts in recent years. From mid-2023 to March 2024, 580 terabytes of names, contacts, dates of birth, health information, government identification, tax file numbers and bank account details were stolen. This attack was done through Microsoft Office 365 and Dell’s storage platform, Isilon. In that instance, the university said it had not received any threats of extortion over the data.

“Western Sydney University has been the subject of persistent and targeted attacks on our network,” the spokesperson said on Thursday.

“We are very aware of the personal impact these incidents are having on our students, staff and wider community, and on behalf of the university, I sincerely apologise.”

The university has multiple campuses in western Sydney. About 46,000 students are enrolled, making it the 11th largest university in the country.

Originally published as Western Sydney University student data stolen again, posted on dark web