Western Sydney University confirmed that data stolen in two earlier cyber incidents has now appeared on the open web and dark web. The breaches came from the Student Management System in October 2024 and the single sign-on system in April 2025.
In November 2024, hackers posted a dataset for sale on the dark web. It contained samples of student and staff information. Investigators linked the material to the October 2024 breach. The post remains active, and because it sits on the dark web, the university cannot take it down.
Between June 4 and 8, 2025, attackers published more datasets from the April breach. These appeared on two file-sharing websites and one dark web forum. The university ordered takedowns for the open web posts, and by June 8 the files were removed. By June 20, the dark web post was no longer accessible.
Data Exposed
The stolen data covers a wide range of personal and sensitive information. It includes names, addresses, phone numbers, dates of birth, tax file numbers, passport and visa details, bank accounts, and health records. Student admission information, academic results, and employee salary data were also disclosed.
Support for the Community
The university partnered with IDCARE, Australia’s identity and cyber support service, to provide free advice. Affected individuals can also use the university’s cyber incident website, a dedicated phone line, and the NSW Information and Privacy Commission for further help.
Security Measures
Western Sydney University says it has expanded its defences. New steps include 24/7 monitoring, stronger firewalls, password upgrades, and multi-factor authentication for staff and students. The university also appointed a senior risk advisor to improve cyber oversight.
Police Action
On June 25, NSW Police arrested a former student accused of accessing systems and trying to sell stolen data online. The NSW Supreme Court has issued an injunction that bans the use or sharing of any material taken without authorisation.
Next Steps
The university will notify individuals about specific impacts where possible. It also urges students and staff to stay alert for misuse of their information and to take the recommended steps to protect themselves.
