By Frank Chung

Copyright news

“Western Sydney University is aware of fraudulent emails sent to students and graduates, with some falsely claiming that they have been excluded from the university or that their qualifications have been revoked,” a spokeswoman said in a statement on news.com.au.

“These emails are not legitimate and were not issued by the university. We are reaching out to inform people that the email is fraudulent and have informed NSW Police. As this is part of an ongoing police investigation, we are unable to provide further comment at this time.

“We sincerely apologise for any concern this may have caused.”

NSW Police earlier said it did “not have any information” about the emails.

Numerous reports flooded social media sites including Reddit and X on Monday after two sets of emails were sent from the official Western Sydney University email domain, addressed to recipients by name and student number.

It wasn’t clear if the two emails were sent by the same person or persons.

One from a sender labelled “no-reply” claimed the recipient’s degree had been revoked and they were to hand in their original documents.

“We regret to inform you that, following a thorough review, the decision has been made to permanently exclude you from any further study at Western Sydney University. As a result, any existing certificates or awards previously issued to you are hereby revoked,” read the email, seen by news.com.au.

“This action has been taken in accordance with the Western Sydney University Act 1997, the Western Sydney University By-law 2017, and the relevant policies outlined on the Policy DDS platform. Please be advised that, pursuant to university policy, the decision of the Board of Trustees is final and binding.

“It may not be subject to any internal appeal or review within the university. Should you wish to explore the possibility of a legal appeal outside of the University, we recommend that you consult with a solicitor to understand your rights.”

Former student Deanna, who asked not to use her last name, said the email had “caused immense undue stress and panic”.

“For the 20 minutes or so I thought this might be real, my entire life and a decade of hard work was down the drain,” she told news.com.au.

“It was a deeply cruel email to receive. I know that lots of people, myself included will be deeply angry about what happened. I still have not been contacted by WSU apologising or confirming it’s a scam. We are owed more than just an apology.”

Another, from “parking.permits”, appeared to outline how the breach occurred.

The email, seen by news.com.au, was titled, “Urgent: WSU’s Ongoing Security Flaws and Lack of Action”.

“I am writing to bring to your attention a critical issue regarding the ongoing security vulnerabilities at Western Sydney University (WSU),” the email read.

“As you may already be aware, WSU has once again fallen victim to a security breach, highlighting their failure to take the necessary steps to protect your personal data and online security.

“Recently, a student was charged by local authorities for exploiting a flaw in the university’s parking permit system.

“This student used a simple browser tool, Inspect Element, to obtain a free parking permit.

“This is a glaring indication of the fundamental security weaknesses that still exist within WSU’s systems.

“What’s more concerning is that these vulnerabilities are easily exploited with just a few clicks, and anyone with a basic understanding of web development can access and manipulate sensitive information.

It wasn’t immediately clear how many people received the emails or whether other sensitive information had been accessed.

WSU has around 50,000 current students.

“The problem is not new. In fact, WSU was made aware of this issue back in 2017, yet, despite being informed about it years ago, the university has neglected to take meaningful action,” the email continued.

“Now, in a particularly ironic twist, the university is charging a student for using these flaws, even though they have failed to address the security weaknesses that allowed this to happen in the first place.

“So, the question remains: Has WSU done anything to secure their systems since then? Based on the fact that this email was sent using the very same vulnerability in their website, the answer appears to be a resounding no.

“No improvements have been made, and no precautions have been implemented to ensure the security of your information.

“To make matters worse, in August, sensitive data submitted through WSU’s eForms system was hacked and stolen. This includes potentially highly confidential student information.

“Even more alarming is the fact that WSU has not disclosed this breach to students, leaving many unaware that their personal data may have been compromised. This lack of transparency is deeply troubling and further underscores the university’s disregard for student privacy and accountability.

“In addition, there have been verified instances where student grades were modified without the university’s knowledge, including cases that appear to involve direct database access. Alarmingly, WSU does not know how many students may have had their grades altered as a result, meaning the full scope of the damage remains unknown.

“This is not just a technical failure — it fundamentally undermines assessment fairness, and the credibility of qualifications issued by WSU but also damages the trust employers place in the university’s degrees.

“Academic records are supposed to be secure, verifiable, and tamper-proof. The fact that grades can be altered undetected is not just a technical failure — it is an institutional failure. If WSU cannot guarantee the integrity of its academic systems, students and graduates may find their qualifications questioned in the professional world.

“Given the severity and apparent scale of these failures, concerned students and staff should consider reporting WSU to the Tertiary Education Quality and Standards Agency (TEQSA) for an independent investigation into these systemic security and governance problems.

“It’s abundantly clear that WSU’s focus is not on safeguarding your privacy, but rather on collecting your fees. Their lack of action demonstrates a deep indifference to the security and wellbeing of their students. If the university truly cared about your data security, this problem would have been resolved long ago.

“At this point, there is no excuse for their inaction. WSU cannot deny that they have been aware of these issues for years. Their failure to address these vulnerabilities not only jeopardises your personal information but also undermines the trust that students should be able to place in their institution.

“I urge you to take this issue seriously and consider taking the necessary precautions to protect your personal data. You should not have to rely on a university that clearly prioritises financial gain over your security.”

It comes after a former engineering student was charged by NSW Police in June over a series of cyber attacks on Western Sydney University spanning four years.

Birdie Kingston, 27, allegedly first hacked the university’s database in 2021 to get cheaper parking on her campus, before escalating to altering her grades.

In 2023, she allegedly demanded $40,000 in cryptocurrency from the university, threatening to leak sensitive student information onto the dark web.

Western Sydney University advised thousands of current and former students in late August that their details had been shared on the dark web, including biographic information such as name and date of birth, email addresses and phone numbers, identity documents, tax file numbers, and admission and enrolment information.

The incidents happened in August 2024 when the hacker accessed the student management and back-end data storage systems and the single sign-on system in late January and February this year.

In an update, the university said its months-long investigation revealed a dark web post was shared on November 2024 containing a “sample set of data” available to download which also “mentions a larger dataset available for purchase”.

Its forensic team confirmed it contained university data and that the information for sale, as flagged in the dark web post, was “likely” from the August cyber attack.

“Our university has been relentlessly targeted in a string of attacks on our network. This has taken a considerable toll on our community, and for that, I am deeply sorry,” WSU Vice-Chancellor and President George Williams said in a statement at the time.

“I’d like to thank the NSW Police who recently charged a former student from the university in relation to cyber offences. As that matter is now before the court, I cannot make any further comment other than to say the University will continue to assist police with their investigations.

“On behalf of the university, I again apologise to our community. Our teams continue to strengthen the university’s digital environment and defend against threats.

“We ask that our community remains alert to any suspicious activity, and that they take action when asked to.”