Western Sydney University data breach exposed student data – Source: www.bleepingcomputer.com

Western Sydney University (WSU) has notified students and academic staff about a data breach after threat actors breached its Microsoft 365 and Sharepoint environment.

WSU is an educational institute in Australia offering a wide range of undergraduate, postgraduate, and research programs across various disciplines. It has 47,000 students and over 4,500 regular and seasonal staff, and it operates on a budget of $600 million (USD).

In an announcement posted on the Western Sydney University website today, the University warned that hackers had accessed its Microsoft Office 365 environment, including email accounts and SharePoint files.

“The investigation has indicated that the earliest known unauthorised access to the University’s Microsoft Office 365 environment was on 17 May 2023 and included access to some email accounts and SharePoint files,” reads the WSU announcement.

“Investigations also indicate that the University’s Solar Car Laboratory infrastructure may have been used as part of the incident.”

The data that has been exposed varies per individual depending on the contents of the email communications and the documents stored in the University’s SharePoint environment.

This intrusion was only discovered much later, in January 2024, with the University’s IT team shutting the unauthorized access and launching an internal investigation into the incident, also involving specialists from the NSW Police, CrowdStrike, and CyberCX.

The investigation’s results have verified the impact on approximately 7,500 individuals, who will soon receive personalized notices via email and phone.

However, this might not be the final figure, as the University noted that investigations are still ongoing.

WSU has not shared many details about the nature of the security incident, but it does not appear to involve system encryption or extortion based on threats to leak stolen data.

“There have been no threats received by the University to disclose any of the private information which was accessed, and the University has not received any demands in exchange for maintaining privacy.” – WSU.

WSU added that the University’s core operations haven’t been impacted, so the incident is not expected to disrupt classes, exams, registrations, or research programs.

The University has evaluated the security measures introduced post-compromise as adequate to prevent the re-occurrence of similar incidents and has been granted an injunction from the NSW Supreme Court to prevent the dissemination of any data that was accessed/stolen during the attack.

While threat actors do not normally care about court injuctions, it was also likely used to prevent the media or others from publishing any stolen data they receive.

At the time of writing, no ransomware or extortion groups have claimed responsibility for the attack at WSU, so the perpetrators remain unknown.

Impacted students and personnel can get support through a dedicated phone line and monitor this page for updates, while Australia’s national identity and cyber support service, IDCARE, is also engaged.