Copyright news
The cyber attack happened between June 19 and September 3 this year, the university revealed on Thursday. It is understood the university first spotted suspicious activity on its systems in two incidents from August 6 and August 11. “This activity occurred on the University’s Student Management System, hosted by a third-party provider on a cloud-based platform,” WSU said in a statement. “An investigation commenced immediately and the university directed the third-party provider to shut down access to its platform. “The investigation confirmed that unauthorised access to this system was obtained through a further external system linked to that platform between 19 June 2025 and 3 September 2025. “Unauthorised entry through these third and fourth party systems enabled personal information to be accessed and exfiltrated from the university’s Student Management System.” The hackers have stolen a vast range of sensitive data, including names, dates of birth, ethnicity, employment and payroll details, bank account details, tax file numbers, driver’s licence details, passport and visa information, complaint and case information and also health, disability and legal information. Impacted students are being notified by the university. “I want to again apologise for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community,” WSU vice-chancellor and president Distinguished Professor George Williams AO said. “This starts with working closely with NSW Police Force Cybercrime Squad’s Strike Force Docker and includes our ongoing efforts to strengthen our cyber security.” The latest attack follows the arrest in June of former WSU student Birdie Kingston, who is accused of launching a series of cyber attacks on the university from 2021 onwards. “Despite this (arrest), attempts to gain unauthorised access to our systems have continued, including via external parties that supply IT services to the university,” Professor Williams said. “In recent weeks, it has become clear that these incidents are intended to harm our community. “We encourage all students, staff and alumni who receive notifications to take the recommended actions, regardless of steps taken in the past, and to use the support services available.” Police have not said that Ms Kingston’s alleged crimes are connected to this latest incident. The police allege that in November last year Ms Kingston threatened to release data on the internet in a ransom demand. She is facing more than 20 charges, including 10 counts of accessing or modifying restricted data held in a computer, four counts of unauthorised modification of data with intent to cause impairment and dishonestly obtaining financial advantage by deception. The most serious charges carry a maximum penalty of 10 years in jail if she is convicted. Investigators seized mobile phones and computers and began combing through more than 100GB worth of data that was retrieved from a cloud server, the police said in June. It’s not alleged that the data was ever posted to the internet and the university did not pay the ransom. “We also believe that the (cyber) incidents were driven by the person’s grievances with the university,” Detective Acting Superintendent Jason Smith from the NSW Police Cybercrime Squad said at the time of the arrest.
