The incidents happened in August 2024 when the hacker accessed the student management and back-end data storage systems and the single sign-on system in late January and February this year.

In an update, the university said its months-long investigation revealed a dark web post was shared on November 2024 containing a “sample set of data” available to download which also “mentions a larger dataset available for purchase”.

For all the latest science and technology news — download the news.com.au app direct to your phone.

Its forensic team confirmed it contained university data and that the information for sale, as flagged in the dark web post, was “likely” from the August cyber attack.

“The sample dataset has been accessible from 1 November 2024 and remains live. The nature of the dark web means it is not possible to issue take-down notices to dark web forums,” the university said in an email, sent to news.com.au by an ex-student.

The dark web and two open web posts were shared between June 4 and 8 of this year containing “three fileshare sites hosting” data available to download.

The university’s cyber monitoring team was able to detect it within eight hours of going live and found the data was from the January/February hack on the single sign on system.

Take-down notices were issued against the two open web fileshares as it was in breach of the NSW Supreme Court interim junction it granted the university following the October attack.

By June 8 they were removed, with the third dataset “no longer accessible” by June 20.

It was unclear what had been accessed, but the update from August 28 confirmed a shocking amount of personal and private information was shared to the dark web.

It includes the basics such as names, addresses, date of births, emails, phone numbers, student identification numbers, and tax file numbers.

But there was also sensitive data such as Australian and international passport numbers, Australian visa details, drivers licences, bank account information, health and wellbeing details, as well as employees of the university and their employment and award salary level.

Western Sydney University previously said it had reached out to about 10,000 current and former students notifying them they may have been impacted.

“The university has engaged IDCARE, Australia’s national identity and cyber support service, to provide free advice and support to those who may have questions about how to protect themselves when their identity information has been compromised,” it said in its latest update.

The university has stressed it has made additional updates to its security with the “highest priority” such as growing its cyber security team, new multi-factor authentication for staff, with students to also expect it soon, and additional firewall protection.

Police were notified of the incidents.

The university said it had worked with the NSW Police Cybercrime Squad’s Strike Force Docker and subsequently arrested one of its former students in June

Birdie Kingston, a 27-year-old who studied electrical engineering, is accused of accessing the university’s systems and threatening to sell confidential information to the dark web.

She allegedly first hacked the database in 2021 to get cheaper parking at her campus.

Kingston is then accused of taking it a step further and altering her grades.

By 2023 she allegedly threatened to leak sensitive information online.

In return for not publishing the data, she allegedly asked for cryptocurrency to the value of around $40,000, police said, but the university refused to pay.

“There were a number of grievances which were not resolved to their liking and we believe that is the driving factor behind the offending,” Detective Acting Superintendent Jason Smith said in June after Kingston’s arrest.

Officers in 2023 had executed a search warrant at the woman’s apartment at the Kingswood campus in Western Sydney. No charges were laid at the time but she allegedly continued the cyber attacks despite being questioned by police.

In June she was charged with 21 offences, including 10 counts of accessing or modifying data held in a computer. The 27-year-old was granted bail in June and was not allowed to access the internet or smart devices, with the judge only allowing her to use an analogue phone.

Students affected can contact IDCARE on 1800 595 160 and quote reference number WESSYDWP25 or call the university’s hotline on 02 9174 6942.

Originally published as Western Sydney University provides update after 10,000 hacked in cyber incidents