A former student has been charged over an extended series of security breaches linked to the Western Sydney University cyberattack that has affected the institution since 2021. According to police, the university endured repeated unauthorized access, data exfiltration, system compromises, and the misuse of its infrastructure, activities that also involved threats to release student information on the dark web. Authorities estimate that hundreds of staff and students have been impacted over the course of the breaches.
Detectives worked with Western Sydney University, the AFP’s Joint Policing Cyber Coordination Centre (JCP3), and external cybersecurity specialists to trace the intrusions. Their investigation led to a 27-year-old woman, a former student of the university, who was first arrested and charged in June.
The Complex Case of the Western Sydney University Cyberattack
Despite the earlier arrest, police allege the student continued offending, sending more than 100,000 fraudulent emails to students to damage the university’s reputation and cause distress. As part of the continuing inquiry into the cyberattack on Western Sydney University, detectives executed a search warrant in North Kellyville, where the student was again arrested. Officers stated that she possessed a mobile phone modified to function as a computer terminal, allegedly used in cyber offences.
She was taken to The Hills Police Station and charged with multiple offences, including two counts of unauthorized function with intent to commit a serious offence, two counts of fabricating false evidence with intent to mislead a judicial tribunal, and breach of bail. Police say she also posted fabricated material online that was designed to exonerate herself during the ongoing legal proceedings. Bail was refused, and she was due to appear in court the following day.
University Issues Public Notification After Continued Cyber Incidents
Western Sydney University released a public notification on 23 October 2025, advising the community of personal information that may have been compromised in the broader Western Sydney University cyberattack pattern. The notice included a statement expressing regret over the situation:
“I want to again apologize for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community.”
The university confirmed that it had been working closely with the NSW Police Force Cybercrime Squad’s Strike Force Docker, which had arrested and charged the former student on 25 June 2025. However, attempts to breach university systems continued even after the arrest, including attempts that exploited external IT service providers.
Unusual activity was detected twice, on 6 August and 11 August 2025, within the Student Management System, which is hosted by a third-party provider on a cloud platform. An immediate investigation led the university to shut down access to the platform. It was later confirmed that unauthorized access occurred through external systems linked to the platform between 19 June and 3 September 2025. These linked systems allow intruders to extract personal data from the Student Management System.
University investigators also determined that fraudulent emails sent on 6 October 2025 had used data stolen during this period. Authorities asked the university to delay notifying the community to avoid disrupting the police investigation. With approval finally granted, the university issued a comprehensive notice to students, former students, staff, offer recipients, The College, The International College, and Early Learning Ltd personnel.
Scope of Compromised Information
According to the public notification, the cyber incidents may have exposed a wide range of personal information, including contact details, names, dates of birth, identification numbers, nationality information, employment and payroll records, bank and tax details, driver’s license and passport information, visa documentation, complaint files, and certain health, disability, and legal information.
Individual notifications are being issued to those affected, including updated findings from earlier incidents.
The notification advised individuals to change passwords, preferably to those of at least 15 characters, and implement multi-factor authentication across online accounts. Additional support services include a dedicated cyber incident website, a university phone line for inquiries, resources from the NSW Information and Privacy Commission, and reporting options via the Australian Cyber Security Centre for anyone who believes their information has been misused.
