On 6th October, Western Sydney University (WSU) suffered a data breach where hackers accessed student and alumni email accounts via the university’s domain. Fraudulent emails were sent to thousands, falsely claiming their degrees were revoked and their enrolments terminated. The breach exposed full names, student numbers, and potentially other personal data, raising concerns about identity theft and privacy violations. The incident followed a prior breach in June 2024, where a former student arrested for hacking WSU servers allegedly stole and threatened to sell student data on the dark web, escalating to a $40,000 ransom demand. The university’s weak security systems were criticized, with prospective students citing the breach as a deterrent to enrollment. NSW Police are investigating, and WSU faces potential legal liability under Australian privacy laws for failing to safeguard sensitive information. The breach eroded trust in the institution’s cybersecurity measures and operational integrity.
Source: https://honisoit.com/2025/10/wsu-students-told-degrees-are-fake-in-another-data-breach/
TPRM report: https://www.rankiteo.com/company/thewesternsydneyu
"id": "the2962529100825",
"linkid": "thewesternsydneyu",
"type": "Breach",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'thousands (students and alumni, '
'including those from as early '
'as 2012)',
'industry': 'higher education',
'location': 'Sydney, New South Wales, Australia',
'name': 'Western Sydney University (WSU)',
'size': 'large (thousands of students and alumni '
'affected)',
'type': 'educational institution'}],
'attack_vector': ['compromised email system',
'insider threat (former student)',
'phishing/spoofed emails'],
'customer_advisories': ['email from WSU Vice Chancellor confirming '
'investigation and assuring enrolments remain '
'unchanged'],
'data_breach': {'data_exfiltration': ['confirmed in June 2024 incident (data '
'threatened for sale on dark web)',
'unclear for October 2024 spoofing '
'incident'],
'number_of_records_exposed': 'thousands (exact number '
'unspecified)',
'personally_identifiable_information': ['full names',
'student numbers'],
'sensitivity_of_data': 'high (includes full names, student '
'numbers, and potentially other PII)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'student records',
'email addresses']},
'date_detected': '2024-10-06',
'date_publicly_disclosed': '2024-10-07',
'description': 'On 6th October 2024, thousands of Western Sydney University '
'(WSU) students and alumni received fraudulent emails claiming '
"their degrees were 'not legitimate' and that they were "
'permanently excluded from the university. The emails, sent '
'via a no-reply WSU domain address, were later confirmed to be '
'part of a security breach exploiting WSU’s weak email '
"security system. A follow-up email from 'Parking compliance, "
"campus safety and security' alerted recipients to the breach. "
'The incident follows a June 2024 arrest of a former WSU '
'student for hacking university servers, altering grades, '
'stealing personal data, and threatening to sell it on the '
'dark web. NSW Police and WSU are investigating, with students '
'advised not to engage with the fraudulent emails. The breach '
'raises concerns about WSU’s compliance with Australian '
'privacy laws and its liability for failing to protect student '
'data.',
'impact': {'brand_reputation_impact': ['severe damage due to false revocation '
'notices and repeated breaches'],
'conversion_rate_impact': ['prospective students deterred from '
'applying'],
'customer_complaints': ['reported online by affected students and '
'alumni'],
'data_compromised': ['student names',
'student numbers',
'email addresses',
'potentially other personal information'],
'identity_theft_risk': ['high (student names and numbers exposed)'],
'legal_liabilities': ['potential liability under Australian '
'privacy laws for failing to protect student '
'data'],
'operational_impact': ['student confusion and distress',
'reputation damage',
'potential decline in student applications'],
'systems_affected': ['WSU email system',
'student records database']},
'initial_access_broker': {'data_sold_on_dark_web': ['threatened in June 2024 '
'incident'],
'entry_point': ['compromised WSU email system '
'(October 2024)',
'insider access via former student '
'(June 2024)'],
'high_value_targets': ['student records database',
'email system']},
'investigation_status': 'ongoing (as of 2024-10-07)',
'motivation': ['financial gain (ransom demand)',
'disruption',
'data theft for dark web sale',
'reputation damage'],
'post_incident_analysis': {'root_causes': ['weak email security controls',
'insufficient access management',
'failure to prevent insider '
'threats']},
'ransomware': {'data_exfiltration': ['threatened in June 2024 incident'],
'ransom_demanded': '$40,000 (in November 2024, linked to June '
'2024 arrest)'},
'references': [{'date_accessed': '2024-10-07',
'source': 'Western Sydney University Vice Chancellor Email (7 '
'October 2024)'},
{'date_accessed': '2024-10-06',
'source': 'Student and Alumni Reports (Online Posts)'},
{'date_accessed': '2024-06-01',
'source': 'NSW Police Investigation (June 2024 Arrest)'}],
'regulatory_compliance': {'legal_actions': ['21 offences charged against '
'former student (arrested in June '
'2024)'],
'regulations_violated': ['Australian privacy laws '
'(unauthorized access to '
'emails and false identity '
'usage)']},
'response': {'communication_strategy': ['email from Vice Chancellor George '
'Williams on 2024-10-07',
'public disclosure of investigation'],
'containment_measures': ['advisory sent to students to ignore '
'fraudulent emails',
'investigation into email system '
'compromise'],
'incident_response_plan_activated': 'yes (investigation launched '
'on 2024-10-07)',
'law_enforcement_notified': 'yes (NSW Police investigating)',
'third_party_assistance': ['NSW Police']},
'stakeholder_advisories': ['students and alumni advised not to respond to '
'fraudulent emails'],
'threat_actor': ['former WSU student (arrested in June 2024)',
'unknown external actor (for spoofed emails)'],
'title': 'Western Sydney University (WSU) Email Spoofing and Data Breach '
'Incident',
'type': ['data breach',
'email spoofing',
'unauthorized access',
'social engineering'],
'vulnerability_exploited': ['weak email security controls',
'insufficient access controls',
'lack of multi-factor authentication (MFA)']}