Western Sydney University’s graduating class of 2023 had identifying information including their name, student ID number, date of birth, contact details, citizenship status, graduation date and their course marks exposed in a cyber attack, revealed publicly on Tuesday.

The spreadsheet of students graduating last August was accessed at some point between 17 May 2023 and January 2024 through a “compromised global administrator account”, affected individuals were informed in an email from interim Vice-Chancellor Clare Pollock, but the university has not received any threats to release the data.

The unknown intruder was able to snoop through emails and shared files for up to eight months before the breach of the university’s shared Microsoft Office 365 portal was detected.

The attack also may have involved the use of the Solar Car Laboratory at WSU’s Kingswood campus, the university said in a statement.

The Australian Strategic Policy Institute’s acting director of cyber technology Mike Bareja said the lack of ransom threat suggests that the criminal responsible was not financially motivated, but is more likely to have been acting on behalf of a foreign nation state.

“In this age of strategic technology competition, (university) research is extremely valuable,” he said.

“If there’s an ability to steal that and get a leg up, other countries are going to take it – and solar energy … is one of those critical technologies.”

The Australian Signals Directorate’s Cyber Threat Report found higher education and research was the equal second most frequently targeted sector in the last financial year, accounting for 17 per cent of medium-severity incidents.

At the same time, security consultants CyberCX had identified at least five data leaks from Australian educational organisations being shared on the dark web in a six-month period.

In WSU’s case, Mr Bareja said, the capability of the hacker could range from “a very unskilled person using freely available tools and skills” to break through “relatively weak cyber defences”, to a “sophisticated actor with extremely powerful tools” and a team behind them.

While the higher education sector is being "increasingly targeted”, he said, its institutions are “less capable” than they should be to deal with foreign cyber attacks, and resourcing their defences is “a question for the university’s internal budgeting”.

“(Cyber security) has for a long time been seen as a cost, when in fact it is a enabler of … an organisation to actually … deliver on its objectives,” Mr Bareja said.

“If you have a motivated and persistent and sophisticated actor trying to breach your system, it’s essentially a matter of time before they succeed.

“We are underprepared, and the Australian research sector needs to mature in its approach towards these sophisticated actors, because … it’s only going to get worse.”

NSW Police are investigating the WSU attack alongside the Australian Federal Police, Australian Signals Directorate, Australian Cyber Security Centre, Department of Defence, and Home Affairs, and the university has secured an injunction from the NSW Supreme Court to prevent publication of any data obtained by the hackers.

“On behalf of the University, I unreservedly apologise for this incident and its impact on our community,” interim Vice-Chancellor Professor Clare Pollock said.

“It is deeply regrettable, and we are committed to transparently rectifying the matter and fulfilling our obligations.

“We appreciate that this may be upsetting, and we are here to support you as we work through this together.”

The Department of Home Affairs’ cyber security office confirmed it was “aware of a cyber incident” impacting the university.

“The National Office of Cyber Security is working with Western Sydney University and relevant Commonwealth and state and territory agencies to assist with managing the impacts of the incident,” a spokesperson said.

“Western Sydney University is providing a range of tailored support services for those impacted by the incident, including a dedicated hotline and counselling support.”

WSU’s last cyber incident in April 2023 saw the university take its student management system offline as a “precaution”, after “unusual activity” was detected. Then-Vice Chancellor Barney Glover assured the uni community there was “no evidence” of personal information “being accessed or compromised in any way”.

Do you know more? Email eilidh.mellis@news.com.au

More Coverage

Update for Aussies hit by bank outage

Aisling Brennan

‘Cyber attack’: Staff harassed, had bank detail stolen from radiologist

Madeleine Damo