Bank accounts, health records and government-issued IDs of more than 7500 current and former Western Sydney University students and staff were compromised in a cyber attack last year, the university revealed on Wednesday.

In addition to a breach of its IT network in May, the intruders were able to delve much further into WSU’s data storage platform – accessing personal documents, “departmental shared folders, and some backup and archived data” between July 9 2023 and as recently as March 16 this year.

The university’s Student Representative Council said students are “extremely concerned and distressed” to be facing a second breach of their personal information within a matter of months, calling for “clear answers” and assurances action will be taken to better protect their data.

“The University has a duty of care to its students and to allow multiple data breaches of this nature to occur is a failure of the care,” the SRC said, in a public statement moved by vice-president Vidushi Sethi.

“While we understand that Vice Chancellor George (Williams)’s tenure has just started and we appreciate his efforts, the SRC must call out the systemic issues and failures that have led to this repeated incident.

“The impacted community is rightfully angry … it is unacceptable for this to happen once, but for it to occur twice is outrageous.”

A forensic investigation has confirmed “evidence of access to approximately 580 terabytes of data” in more than 80 different directories within the system, including names, contact information, dates of birth, health records and “sensitive information relating to workplace conduct and health and safety matters”.

Worryingly, financial information was also accessed including government ID documents, tax file numbers, superannuation details and bank account information.

Western Sydney University refused to confirm how much of the 580TB accessed was categorised as “personally identifiable information”, citing legal proceedings, but the amount of data is nearly ten times the quantity stolen from electronic prescription provider MediSecure.

The MediSecure hack resulted in the health and personal information of 12.9 million Australians being stolen, from 6.5 terabytes of data which cyber experts say has already been sold on the dark web.

If 580 terabytes of data were stored on CDs stacked on top of each other, the stack would be 944 metres tall – higher than the world’s tallest building, the Burj Khalifa.

The university, which is working with authorities including the National Office of Cyber Security, federal police, Australian Signals Directorate and Department of Home Affairs as well as private cybersecurity companies, said dark web monitoring hasn’t found any evidence of the compromised data being published or sold.

“The University has not received any threats to disclose private information or demands in exchange for maintaining privacy,” a public statement read.

In an email to students and alumni, new Vice-Chancellor Professor George Williams apologised “unreservedly” for the breach.

“We are committed to transparently rectifying this matter and will keep you updated as our investigation progresses,” he wrote.

In a media statement, Professor Williams added: “Our priority remains supporting and assisting our students, staff and stakeholders. We have set up a number of support services for them.”

The incident is also being investigated by NSW Police’s cybercrime unit, under Strike Force Girrakool.

More Coverage

300 hacks per year: NSW unis fail their own cyber test

Eilidh Sproul-Mellis

Foreign hacks on Australian universities ‘only going to get worse’

Eilidh Sproul-Mellis