Share this article on:
Western Sydney University (WSU) has revealed that its systems were breached by a threat actor, leading to student information being potentially exposed.
In a student notification email seen by Cyber Daily, WSU interim vice-chancellor Professor Clare Pollock said the intrusion was detected in January this year but was “quickly shut down”; however, investigations have revealed that access occurred as early as 17 May 2023.
“Since then, the university has been investigating the impact of the unauthorised access and investing in additional remediation measures,” Pollock said.
“Monitoring and scanning indicates that the preventative measures taken as a part of the incident response have successfully prevented any further unauthorised access.”
As part of its response, WSU engaged NSW Police and is working with the NSW Information and Privacy Commission. Investigations are still ongoing.
Additionally, it notified the Australian Federal Police, Australian Signals Directorate, the Australian Cyber Security Centre, Home Affairs and the Department of Defence and engaged both CrowdStrike and CyberCX to guide it through the process of evaluating the threat and mitigating further damage.
According to WSU, the threat actor gained access to the university’s Microsoft Office 365 environment and that this involved some email accounts and SharePoint files being accessed.
The investigations to date also found that between 17 May 2023 and January 2024, a spreadsheet containing the details of students due to graduate in August 2023 was accessed, which contained details such as:
While the number of students affected in this was not disclosed, the university said that 7,500 notification emails were sent to “impacted individuals”.
“There have been no threats received by the university to disclose your private information more broadly, and the university has not received any demands in exchange for maintaining privacy,” Pollock said.
Additionally, the university said it has been granted an injunction from the NSW Supreme Court to “prevent access, use, transmission and publication of any data that was the subject of the incident”.
While the threat actor and their attack vectors have not been publicly identified, WSU said investigations suggest that its Solar Car Laboratory infrastructure may have been used in the attack.
“On behalf of the university, I unreservedly apologise for this incident and its impact on our community. It is deeply regrettable, and we are committed to transparently rectifying the matter and fulfilling our obligations,” Pollock said.
A dedicated phone line and webpage have been set up for those with questions, and students have been provided free access to IDCARE.
“We appreciate that this may be upsetting, and we are here to support you as we work through this together,” Pollock said.
Cyber Daily previously reported in April last year that Western Sydney University detected suspicious activity on its systems.
In a statement by WSU vice-chancellor and president, Professor Barney Glover AO, published on the university website, there was “no evidence of any Western Sydney University information, including personal information, being accessed or compromised in any way”.
“Whilst we appreciate this investigation interrupted business operations, taking our student management system offline for a brief period has been an important, preventative measure,” he said.
No details of what the suspicious activity was were released. There is nothing to suggest that the incident was connected to the latest breach.