A 27-year-old former student has been arrested in connection with the cyber attack on Western Sydney University. NSW Police’s Cybercrime Squad executed a search warrant at her Kingswood residence on 25 June 2025, charging her with 20 offences including unauthorised access, modification of restricted data, and dishonestly obtaining property by deception. Police allege she initially accessed university systems to obtain discounted parking before escalating to altering academic records and threatening to sell student data on the dark web. The arrest follows a multi-year investigation involving Strike Force GIRRAKOOL. She has been refused bail and is due to appear in Parramatta Local Court.
Western Sydney University (WSU) disclosed on 25 June 2024 that it had been the target of a significant cyber attack involving unauthorised access to its Microsoft Office 365 environment. The breach reportedly began in May 2023 and continued undetected until January 2024. During this period, attackers gained access to email accounts, SharePoint files, and OneDrive storage used by both staff and students.
Among the data potentially accessed were academic results, personal identification documents, and internal communications. The university has not yet confirmed the exact volume or sensitivity of the compromised data, but it has acknowledged that the breach affected multiple systems and user groups.
WSU stated that it engaged external cybersecurity experts and notified the NSW Police Cybercrime Squad and the Australian Cyber Security Centre (ACSC) once the breach was identified. A full forensic investigation is now underway. The university has also begun contacting affected individuals and offering support services, including identity protection assistance.
While the breach was detected in January, the delay in public disclosure until late June has drawn criticism from cybersecurity experts and privacy advocates. The university maintains that it needed time to assess the scope of the breach and secure its systems before going public. However, the lack of early notification raises questions about compliance with mandatory data breach reporting obligations under the Privacy Act 1988 (Cth).
The full extent of the data breach at Western Sydney University remains under investigation, but preliminary findings suggest that a wide range of sensitive information may have been compromised. This includes:
Academic results and transcripts: These could be used for identity theft, fraud, or credential forgery, particularly if paired with other personal identifiers.
Staff and student ID documents: Some files accessed reportedly include scanned copies of passports, driver licences, and student IDs, raising the risk of long-term identity misuse.
Internal communications and research data: Emails and shared documents may contain confidential research, financial information, or intellectual property, which could be valuable to cybercriminals or foreign actors.
There are also unconfirmed reports that some of the stolen data has been offered for sale or distribution on the dark web. While WSU has not verified this, the Australian Federal Police and ACSC are reportedly monitoring dark web forums for signs of leaked information.
The attack appears to have exploited vulnerabilities in WSU’s Microsoft 365 configuration, possibly through compromised credentials or inadequate multi-factor authentication. This mirrors patterns seen in other Australian university breaches, including the 2020 attack on the Australian National University, which took months to detect and involved similar data types.
Cybersecurity experts have warned that the breach could have long-term consequences for those affected, particularly if the data is used in phishing campaigns, scams, or synthetic identity creation. The incident underscores the need for stronger access controls, regular audits, and faster breach detection systems within higher education institutions.
Increased vulnerability of universities: Australian universities are becoming prime targets for cybercriminals due to the large volumes of personal data, research IP, and international collaborations they manage. The WSU breach adds to a growing list of attacks that suggest systemic underinvestment in cybersecurity across the sector.
Regulatory scrutiny and compliance gaps: The delayed disclosure of the breach raises concerns about compliance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act. The Office of the Australian Information Commissioner (OAIC) may investigate whether WSU met its legal obligations to notify affected individuals promptly.
Trust and reputational damage: For students and staff, trust in the university’s ability to protect their information has been eroded. This could affect enrolment decisions, staff retention, and international partnerships, particularly if the breach is found to have been preventable.
Policy and funding implications: The incident may prompt renewed calls for dedicated cybersecurity funding for higher education, particularly for regional and public universities. The 2023 Universities Accord interim report noted that digital infrastructure remains a weak point across the sector.
Dark web monitoring and law enforcement coordination: The involvement of the ACSC and NSW Police Cybercrime Squad highlights the growing need for coordinated national responses to cyber threats. However, reactive investigations may not be enough without proactive monitoring and threat intelligence sharing.
As cyber attacks become more frequent and sophisticated, the WSU breach serves as a warning that Australia’s education sector must treat cybersecurity as a core operational priority, not an IT afterthought.
The 2020 cyber attack on the Australian National University (ANU) remains one of the most detailed case studies of a university breach in Australia. That attack, which went undetected for months, involved the theft of 19 years’ worth of personal and academic data. ANU responded by publishing a comprehensive post-incident report, overhauling its cybersecurity protocols, and investing in staff training and system upgrades.
Similarly, Deakin University experienced a breach in 2022 when a third-party contractor’s account was compromised, leading to the exposure of student contact details. Deakin acted quickly to notify affected individuals and implemented new vendor risk management protocols.
These cases show that while breaches may be inevitable, transparency, speed of response, and long-term system reform are crucial to restoring trust and preventing recurrence. Western Sydney University’s next steps will be closely watched by the sector and policymakers alike.
Students and staff at WSU should remain vigilant for phishing emails, identity fraud, or unusual account activity. The university has advised those affected to change passwords, monitor financial accounts, and consider placing credit alerts with major reporting agencies. Free identity protection services are being offered to impacted individuals.
More broadly, the incident is a reminder for all Australians to adopt stronger digital hygiene practices, including using multi-factor authentication, avoiding password reuse, and staying informed about cyber threats. Institutional breaches can have personal consequences, but proactive steps can reduce the risk of harm.
.png)
