Western Sydney University discloses data breach that impacts 7500 Individuals
In a student notification email, WSU interim vice-chancellor Professor Clare Pollock said the wsu data breach was initially detected in January 2022.
The intruder’s access was quickly shut down at that time. However, further investigation has since revealed that the intruder first gained access to the system as early as May 2021, longer than originally thought. Professor Pollock assured students that steps are being taken to strengthen security and prevent future intrusions.
“Since then, the university has been investigating the impact of the unauthorised access and investing in additional remediation measures,” Clare Pollock said.
“Monitoring and scanning indicates that the preventative measures taken as a part of the incident response have successfully prevented any further unauthorised access.”
Western Sydney University is taking several actions in response to the security breach. It has engaged the NSW Police and is working closely with the NSW Information and Privacy Commission as investigations continue.
Additionally, WSU notified and is working with several federal agencies including the Australian Federal Police, Australian Signals Directorate, Australian Cyber Security Centre, Home Affairs and Department of Defence.
WSU has also engaged cybersecurity firms CrowdStrike and CyberCX to help evaluate the full scope of the threat and ensure appropriate mitigation strategies are implemented.
Investigation on WSU Uni Data Breach Reveals Details
The intruder gained unauthorized access to WSU’s Microsoft Office 365 environment, resulting in some employee email accounts and SharePoint files being accessed. WSU is working diligently with experts to determine the full impact and strengthen its defenses.
The investigations have found that the intruder accessed a spreadsheet containing details of students graduating in August 2022 at some point between May 2021 and January 2022. The spreadsheet included sensitive personal information such as:
- Grade point average and weighted average mark
- Date of birth
- Student ID and full name
- Graduating degree, completion date, and graduation date
- Whether the student identifies as Aboriginal or Torres Strait Islander
- Mobile phone number
- University and personal email addresses
- Citizenship status
- Any prizes received
WSU continues to investigate the full scope of the incident to determine the duration of unauthorized access and all records affected. Steps are being taken to strengthen security protections for private student data moving forward.
While not providing the specific number of students impacted, the university notified approximately 7,500 individuals through emails. The university described these recipients as individuals potentially affected based on the known details of the WSU data breach.
“There have been no threats received by the university to disclose your private information more broadly, and the university has not received any demands in exchange for maintaining privacy,”
Pollock said.
For added protection, WSU obtained an injunction from the NSW Supreme Court that prohibits any individual from accessing, using, transmitting, or publishing data involved in the security breach.
The University’s Solar Car Laboratory Systems Used in WSU Security Breach
While the specific threat actor and techniques used have not been publicly disclosed, WSU’s investigations indicate the university’s Solar Car Laboratory systems may have been leveraged in carrying out the attack.
In a statement, interim vice-chancellor Professor Clare Pollock said, “On behalf of the entire university, I sincerely apologize for this incident and the effects it has had on our community. This type of event is hugely regrettable. We are fully committed to transparency, addressing the issues, and fulfilling all of our responsibilities to those impacted.”
Pollock acknowledged the profound impact on students and pledged WSU’s complete commitment to resolving the matter.
WSU has established a dedicated phone line and web resource for people to address any concerns or questions related to the incident. Additionally, free identity and credit monitoring services are being provided to students through IDCARE.
In her message, Professor Pollock said,
“We understand this situation may cause distress and we are here to support the community as we work to resolve it together.”
In a separate statement on the university website, WSU Vice-Chancellor and President Professor Barney Glover AO noted there was “no evidence that any Western Sydney University data, including personal information, was actually accessed or affected beyond our Microsoft Office 365 environment.”
While the breach occurred, he assured there were no signs that student information was compromised as a result.
Professor Glover acknowledged that taking the student management system offline temporarily disrupted standard operations. However, he noted this preventative measure was an important step for security given suspicious activity had been detected.
No specifics about the nature of the suspicious behavior were disclosed. Additionally, there has been no indication that this latest incident was related to the previous security breach disclosed earlier in the year.
While inconvenient in the short term, prioritizing the security of student information was stressed as a top priority by WSU leadership.
