Western Sydney University (WSU) has confirmed a significant cyber breach in which hackers stole a broad range of sensitive student information including tax file numbers, passport details, and private health and disability data, following a months-long intrusion into its systems.
The university revealed that the attack occurred between June 19 and September 3, 2025, after detecting suspicious activity on August 6 and 11. “This activity occurred on the University’s Student Management System, hosted by a third-party provider on a cloud-based platform,” WSU said in a statement. “An investigation commenced immediately, and the university directed the provider to shut down access to its platform.”
Investigators determined that unauthorized access was gained through an external system connected to the platform, allowing attackers to exfiltrate data from multiple linked third- and fourth-party systems. The stolen information includes names, birth dates, ethnicity, employment and payroll records, bank account and tax file numbers, driver’s licence and passport details, visa information, complaint records, and health, disability, and legal data.
Vice-Chancellor and President Distinguished Professor George Williams AO apologized to those affected, assuring the university community that every effort was being made to address the breach. “This starts with working closely with the NSW Police Force Cybercrime Squad’s Strike Force Docker and includes our ongoing efforts to strengthen our cybersecurity,” he said.
The incident follows the June arrest of former WSU student Birdie Kingston, who was accused of launching a series of cyberattacks on the university beginning in 2021. Despite her arrest, Professor Williams said attempts to access WSU systems have continued, including through third-party IT providers. “In recent weeks, it has become clear that these incidents are intended to harm our community,” he added.
While police have not confirmed a connection between Kingston’s alleged crimes and the latest breach, authorities previously alleged she issued a ransom threat in November 2024 and is facing over 20 charges related to unauthorized system access and data modification.
Detective Acting Superintendent Jason Smith of the NSW Police Cybercrime Squad stated earlier that investigators recovered more than 100GB of data from a cloud server during Kingston’s arrest. He noted that the data was never publicly posted and that no ransom was paid. “We believe the incidents were driven by the person’s grievances with the university,” he said.
WSU has begun notifying affected students and continues to work with law enforcement and cybersecurity specialists to secure its systems and prevent further compromise.
