The University of Sydney has confirmed a major cybersecurity incident that resulted in the exposure of personal information belonging to thousands of current and former staff members, as well as smaller groups of students, alumni, and supporters. The University of Sydney cyberattack was formally disclosed to the university community on December 18, 2025, after the institution detected unauthorized access to an internal online IT code library.
University officials said the suspicious activity was identified last week during monitoring of the platform, which is primarily used for software development and code storage. While the system was never intended to house personal records, investigators found that historical data files had been stored within the library, largely for testing purposes. These files were accessed and downloaded by an unauthorized party before the university intervened.
Upon discovering the University of Sydney cyberattack, the university immediately blocked unauthorized access and secured the affected environment. Officials also clarified that the cyberattack on University of Sydney was unrelated to a separate incident involving student results reported earlier.
Decoding the University of Sydney Cyberattack
According to the university’s investigation to date, the data breach at the University of Sydney affected a wide range of individuals. The compromised files included a historical dataset from a retired system containing personal information about staff employed at the university as of September 4, 2018. Exposed details included names, dates of birth, phone numbers, home addresses, and basic employment information such as job titles and dates of employment.
In total, personal information belonging to around 10,000 current staff and affiliates and approximately 12,500 former staff and affiliates from that period was accessed. In addition, a collection of historical datasets, primarily from 2010 to 2019, contained personal information relating to about 5,000 students and alumni, along with data belonging to six supporters.
Vice President for Operations Nicole Gower addressed staff in a written message confirming the scope of the University of Sydney cyberattack and offering an apology. “We understand this news may cause concern, and we sincerely apologise for any distress this may cause,” Gower wrote. “While the data has been accessed and downloaded, there is currently no evidence that it has been used or published.”
Investigation, Notifications, and Official Response
The University of Sydney has reported the incident to multiple government authorities, including the NSW Privacy Commissioner, the Australian Cyber Security Centre, the Tertiary Education Quality and Standards Agency, the National Student Ombudsman, and ID Support NSW. The university is also working with external cybersecurity partners to assess whether any of the accessed data has been disclosed online.
At this stage, the university believes the unauthorized access was confined to a single platform and did not compromise other university systems. However, the investigation remains ongoing and is expected to continue into the new year due to its complexity.
Notifications to affected individuals began on December 18, 2025. The university expects to complete this process by January 2026, once file reviews are finalized, and contact details for all impacted individuals are confirmed. Updates and responses to frequently asked questions are being published on the university’s website as the situation evolves.
Support Services and Advice for Affected Individuals
In response to the University of Sydney data breach, a range of support services has been made available to staff, students, alumni, and affiliates. A dedicated cyber incident support service has been established to handle inquiries and will remain operational during the university’s closedown period from December 20, 2025, to January 5, 2026, excluding public holidays.
Staff members have access to counseling and wellbeing services through Converge International, while students can seek free and confidential support through Student Wellbeing services, which are available 24/7. Additional assistance is available through external organizations such as ID Support NSW, IDCARE, Beyond Blue, and Lifeline.
The university has also issued guidance urging affected individuals to remain vigilant by monitoring accounts for unusual activity, changing passwords, enabling multi-factor authentication, and being cautious of phishing attempts. Officials advised sharing details of the incident on social media to reduce the risk of scams.
University leadership reiterated that cybersecurity remains a priority and noted that an extensive program to strengthen data management practices has been underway for the past three years. Further updates will be provided as the investigation into the cyberattack on University of Sydney progresses and additional findings become available.
