Students at the university, which has several campuses across Sydney’s western suburbs, were notified of the cyber intrusion in May. When the breach was found, the university swiftly shut down its network and put measures in place to secure it.

About 7500 people were affected, though the university maintained there had been “no threats received” regarding the private information accessed.

In a new statement today, UWS stressed its commitment to “transparently rectifying” the issue and keeping its student and staff community updated.

“Since unauthorised access to Western Sydney University’s IT network was discovered in January 2024, the university has been undertaking forensic investigations in line with our due diligence and legal obligations to determine the full nature, scope and scale of the incident,” UWS said.

“As a result of the ongoing investigations, the university issued this public notification on 31 July 2024 about unauthorised access to the university’s storage platform, known as the Isilon storage platform.

“In particular, the university is drawing this public notification to the attention of our university community, which includes, but is not limited to, our former and current students and staff.

“The university unreservedly apologises for this incident and the impact it is having on our community. The university is committed to transparently rectifying this matter and will keep our community updated as our investigation progresses.”

The breach affected UWS’s “Microsoft Office 365 environment”. Having continued its investigation, the university now saws “personal information in Isilon was also subject to unauthorised access”.

“Isilon holds My Documents information, departmental shared folders, and some backup and archived data,” it explained.

“We have been and will continue to analyse the very large and complex dataset to properly understand the impact the unauthorised access to Isilon has had on individuals’ personal information.”

At this point, UWS can confirm there is evidence of access to about 580 terabytes of data, across 83 of Islon’s 400 directories. This unauthorised accessed occurred between July 9, 2023 and March 16, 2024.

Personally identifiable information was accessed, including people’s names, contact details, dates of birth, health information, sensitive information relating to workplace conduct, health and safety matters, government identification documents, tax file numbers, superannuation details and bank account information.

“Based on its forensic investigation to date, the university has no evidence that this incident extends beyond the University’s Microsoft Office 365 and Isilon environments,” said UWS.

“The university has not received any threats to disclose private information or demands in exchange for maintaining privacy. The university has dark web monitoring in place and there is no evidence to date that the data has been uploaded.

“The university has not detected any further unauthorised access to Isilon since remediation work took place.

“The university continues to engage with the authorities in relation to the perpetrator of the Isilon incident.”

Next steps

UWS says it continues to work with “Australia’s leading digital forensics and incident response team at CyberCX”, as well as relevant government authorities, including the National Office of Cyber Security, Australian Federal Police, Australian Cyber Security Centre, Australian Signals Directorate and the Department of Home Affairs.

NSW Police are investigating under the banner of Strike Force Girrakool.

“To protect University staff, students and stakeholders, the university sought and was granted an interim injunction in the NSW Supreme Court to prevent any access, use, transmission and publication of any data that is the subject of the incident. This includes data in Isilon that was accessed without authorisation,” said the university.

“The university’s leadership and Board have taken a number of steps to remediate the issue and further protect staff and students, including completing a password reset, enhancing detection monitoring, implementing additional firewall protection, increasing our cyber security team capacity, and reviewing data storage and retention practices.”

In an email to staff, students and alumni today, the university drew recipients’ attention to “steps they can take to protect themselves”, as well as support services available to them.

In the coming weeks, the university will “endeavour to notify individuals about the impact on their personal information”, though the “volume and complexity of the data” will provide a significant challenge.

UWS has established a dedicated phone line to provide support. Should you need it, you can call 02 9174 6942. It operates Monday to Friday, from 9am to 4.30pm.

Originally published as Western Sydney University provides update on cyber breach that affected thousands