Western Sydney University (WSU) suffered a major data breach involving fraudulent emails sent from official university domains to students and alumni. Some emails falsely claimed degrees were revoked, coercing recipients into submitting personal documents, while others exposed systemic security flaws including a 2017 vulnerability in the parking permit system (exploited via *Inspect Element*) that remained unpatched. The breach also revealed unauthorized access to the eForms system, where sensitive student data (e.g., identity documents, tax file numbers, enrolment records) was stolen and leaked on the dark web. Additionally, academic records were tampered with undetected, compromising grade integrity and institutional credibility. A former student, previously charged for exploiting flaws to alter grades and extort $40,000 in cryptocurrency (2023), was linked to the incident. WSU failed to disclose the breach transparently, leaving thousands of current/former students’ data exposed and eroding trust in the university’s cybersecurity governance.
TPRM report: https://www.rankiteo.com/company/thewesternsydneyu
"id": "the0702707100725",
"linkid": "thewesternsydneyu",
"type": "Breach",
"date": "6/2017",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (fraudulent emails sent '
'to students/alumni; data breach '
'scope undisclosed)',
'industry': 'Higher Education',
'location': 'Sydney, Australia',
'name': 'Western Sydney University (WSU)',
'size': '~50,000 students',
'type': 'Educational Institution'}],
'attack_vector': ['Email Spoofing',
'Exploitation of Web Application Vulnerabilities (Inspect '
'Element)',
'Direct Database Access',
'Social Engineering'],
'customer_advisories': ['Fraudulent emails should be ignored and reported to '
'WSU IT security.',
'Students urged to verify any official communications '
'through WSU’s verified channels.',
'Affected individuals may request credit monitoring '
'or identity protection services.'],
'data_breach': {'data_exfiltration': 'Yes (data shared on dark web in 2023)',
'file_types_exposed': ['Databases',
'Emails',
'PDFs (identity documents)',
'Academic Records'],
'number_of_records_exposed': 'Unknown (thousands of '
'current/former students '
'affected in 2023 breach)',
'personally_identifiable_information': ['Names',
'Email Addresses',
'Phone Numbers',
'Tax File Numbers',
'Identity Documents '
'(e.g., passports, '
'driver’s licenses)'],
'sensitivity_of_data': 'High (includes identity documents, '
'tax file numbers, and academic '
'records)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Academic Records',
'Financial Data (Tax File '
'Numbers)',
'Identity Documents',
'Enrolment Information']},
'date_detected': '2024-09-09',
'date_publicly_disclosed': '2024-09-10',
'description': 'Western Sydney University (WSU) experienced a major data '
'breach where fraudulent emails were sent from official '
'university email addresses to students and alumni. Some '
"emails falsely claimed that recipients' degrees had been "
'revoked, while others detailed systemic security flaws, '
'including vulnerabilities in the parking permit system and '
'eForms system. The breach also involved unauthorized grade '
'modifications and potential exposure of sensitive student '
'data, including identity documents and tax file numbers. A '
'former student, Birdie Kingston, was previously charged in '
'2023 for hacking the university’s database, attempting to '
'alter grades, and demanding ransom in cryptocurrency.',
'impact': {'brand_reputation_impact': ['Severe Damage to Institutional '
'Reputation',
'Erosion of Employer Trust in Degrees',
'Negative Media Coverage'],
'customer_complaints': ['Reports of Fraudulent Emails',
'Concerns Over Data Security',
'Demands for Transparency'],
'data_compromised': ['Student Records',
'Identity Documents',
'Tax File Numbers',
'Admission/Enrolment Information',
'Academic Grades',
'Parking Permit Data'],
'identity_theft_risk': 'High (due to exposure of identity '
'documents and tax file numbers)',
'legal_liabilities': ['Potential Violations of Privacy Laws (e.g., '
'Australian Privacy Principles)',
'Litigation Risk from Affected Students',
'Regulatory Fines (TEQSA or OAIC)'],
'operational_impact': ['Disruption of Trust in Academic '
'Credentials',
'Loss of Student/Alumni Confidence',
'Potential Regulatory Scrutiny (TEQSA)'],
'systems_affected': ['Email System',
'eForms System',
'Parking Permit System',
'Student Database',
'Academic Records Database']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (2023 breach)',
'entry_point': ['Parking Permit System '
'Vulnerability (Inspect Element '
'Exploit)',
'eForms System Flaw',
'Email Spoofing'],
'high_value_targets': ['Student Database',
'Academic Records',
'Identity Documents'],
'reconnaissance_period': 'Since at least 2017 '
'(parking permit flaw '
'known)'},
'investigation_status': 'Ongoing (NSW Police investigation)',
'lessons_learned': ['Long-standing vulnerabilities (e.g., parking permit '
'system flaw since 2017) must be prioritized for '
'remediation.',
'Lack of transparency in breach disclosure erodes trust '
'and exacerbates reputational damage.',
'Academic systems require robust access controls and '
'audit trails to prevent grade tampering.',
'Third-party security audits may be necessary to identify '
'and address systemic weaknesses.',
'Student data, including identity documents, must be '
'encrypted and protected with multi-factor '
'authentication.'],
'motivation': ['Financial Gain (ransom demand)',
'Academic Fraud (grade modification)',
'Activism (exposing security flaws)',
'Malicious Intent (fraudulent emails)'],
'post_incident_analysis': {'corrective_actions': ['Immediate patching of all '
'identified vulnerabilities '
'in student-facing systems.',
'Implementation of MFA and '
'role-based access controls '
'for critical databases.',
'Third-party penetration '
'testing to identify and '
'remediate additional '
'flaws.',
'Development of a breach '
'disclosure protocol '
'compliant with Australian '
'privacy laws.',
'Establishment of a 24/7 '
'Security Operations Center '
'(SOC) for threat '
'monitoring.',
'Regular audits of academic '
'records to detect and '
'prevent grade tampering.'],
'root_causes': ['Failure to patch known '
'vulnerabilities (e.g., parking '
'permit system since 2017).',
'Inadequate access controls for '
'academic and administrative '
'systems.',
'Lack of encryption for sensitive '
'student data (e.g., tax file '
'numbers).',
'Poor incident response '
'transparency and communication.',
'Insufficient staff/student '
'cybersecurity awareness '
'training.']},
'ransomware': {'data_exfiltration': 'Yes (2023 breach)',
'ransom_demanded': '$40,000 AUD (in cryptocurrency, 2023)',
'ransom_paid': 'No (demand not met)'},
'recommendations': ['Conduct a comprehensive security audit of all '
'student-facing systems (e.g., eForms, parking permits, '
'academic databases).',
'Implement multi-factor authentication (MFA) for all '
'critical systems and administrative access.',
'Establish a dedicated cybersecurity task force to '
'monitor and respond to threats in real-time.',
'Develop a clear breach disclosure policy to ensure '
'timely and transparent communication with affected '
'parties.',
'Collaborate with TEQSA and cybersecurity experts to '
'restore confidence in academic integrity and data '
'protection.',
'Provide identity theft protection services to affected '
'students/alumni.',
'Train staff and students on recognizing phishing emails '
'and social engineering attacks.'],
'references': [{'date_accessed': '2024-09-10',
'source': 'Daily Mail Australia',
'url': 'https://www.dailymail.co.uk/news/article-13798001/Western-Sydney-University-students-told-degrees-revoked-fraudulent-emails-sent-huge-data-breach.html'},
{'date_accessed': '2023-07-18',
'source': 'Penrith Local Court Records (Birdie Kingston '
'Case)'}],
'regulatory_compliance': {'legal_actions': ['Criminal Charges Against Birdie '
'Kingston (2023)',
'Potential TEQSA Investigation'],
'regulations_violated': ['Australian Privacy '
'Principles (APP)',
'Potential Violations of '
'Tertiary Education '
'Quality and Standards '
'Agency (TEQSA) Standards'],
'regulatory_notifications': ['NSW Police Notified',
'TEQSA Considered for '
'Independent '
'Investigation']},
'response': {'communication_strategy': ['Public Apology',
'Limited Disclosure Due to Ongoing '
'Investigation'],
'containment_measures': ['Public Statement Issued',
'Police Investigation Initiated'],
'incident_response_plan_activated': 'Yes (NSW Police notified)',
'law_enforcement_notified': 'Yes (NSW Police)'},
'stakeholder_advisories': ['Students and alumni advised to monitor for '
'identity theft and report suspicious activity.',
'TEQSA encouraged to launch an independent '
'investigation into systemic security failures.'],
'threat_actor': ['Birdie Kingston (former engineering student)',
'Unidentified actors (fraudulent emails)'],
'title': 'Western Sydney University Data Breach and Fraudulent Emails',
'type': ['Data Breach',
'Phishing',
'Unauthorized Access',
'Grade Tampering',
'Ransomware Attempt'],
'vulnerability_exploited': ['Parking Permit System Flaw (since 2017)',
'eForms System Vulnerability',
'Lack of Input Validation',
'Insufficient Access Controls']}