NSW Police are investigating after the personal information of about 10,000 current and former Western Sydney University students was unlawfully accessed and other sensitive data was separately posted on the dark web.

The personal information - accessed via one of the University’s single sign-on (SSO) systems - includes demographic, enrolment and progression information, Western Sydney University said in a statement.

The personal information of an unknown number of WSU members was also discovered on a dark web forum last month.

NSW Police told The Australian that Cybercrime Squad detectives where investigating after being alerted to a data breach that occurred in February 2025 at Western Sydney University “during which former and current student information was compromised.”

The revelations follow a co-ordinated cyber hit on some of the country’s biggest super funds including AustralianSuper, Australian Retirement Trust, Hostplus and Rest, this week, fleecing at least hundreds of thousands of dollars in Australian retirement savings. Over the past few years, massive cyberattacks have been carried out against Optus and Medibank Private.

In a statement, WSU said “the University expects to notify approximately 10,000 current and former students next week whose information was subject to unauthorised access that occurred in January and February 2025. The data relates to demographic, enrolment and progression information.”

“As soon as the unauthorised access was detected, the University’s internal and third-party cyber experts immediately began working to shut down the perpetrator’s access to the system in real time. Investigations into the incident are ongoing.”

The statement also mentioned a post on a dark web forum which “referred to personal information belonging to the University community”.

WSU says it became aware of the post on March 24 and immediately alerted authorities, but that the post was likely made on November 1, 2024.

“The University continues to investigate the post in conjunction with the authorities. Early investigations indicate that the information contained in this post broadly reflects the same types of personal information outlined in previous cyber notifications.”

That dataset appears to have obtained through unauthorised access to WSU’s IT network between August and October last year. The University has already taken out an interim order with the NSW Supreme court to stop the use, transmission or publication of that particular dataset.

The University said it continues to work with the National Office of Cyber Security, the Australian Federal Police, the Australian Signals Directorate’s Australian Cyber Security Centre, and the NSW Information and Privacy Commission (IPC).

Vice-Chancellor Professor George Williams said the university had been the “subject of persistent and targeted attacks on our network”.

“The University is very aware of the personal impact these incidents are having on its students, staff and wider community,” he said.

“On behalf of the University, I apologise to our community. Our teams are working hard to respond and strengthen our digital environment.

“The higher education sector is increasingly the target of cyber attacks and Western Sydney University is not immune to this evolving threat landscape.”

Joanna PanagopoulosReporter

Joanna started her career as a cadet at News Corp’s local newspaper network, reporting mostly on crime and courts across Sydney's suburbs. She then worked as a court reporter for the News Wire before joining The Australian’s youth-focused publication The Oz.

@JoannaPanagopo1

More related stories

Education

ATAR of 39 and accepted into a teaching degree

As Australia cries out for more teachers, some universities are inflating enrolments by admitting students with the lowest high school results.

Read more

Higher Education

Engineer this: extra 60,000 graduates

Engineers Australia has challenged universities to train an extra 60,000 engineers over the next decade to fill skills shortages.

Read more