A former student of Western Sydney University is facing serious charges tied to a series of security breaches that have plagued the institution since 2021. Law enforcement officials report that these breaches involved numerous unauthorized accesses, the extraction of sensitive data, and substantial system compromises. Worse still, the individual allegedly threatened to expose personal information of students on the dark web. Authorities estimate that these breaches have impacted hundreds of both staff and students at the university.
The Investigation into the Cyberattack
Detectives joined forces with Western Sydney University, the AFP’s Joint Policing Cyber Coordination Centre (JCP3), and various external cybersecurity experts to trace the ongoing intrusions. This collaborative effort led to the arrest of a 27-year-old woman, a former university student, who was first taken into custody in June of this year.
Continued Offenses Even After Arrest
Despite the initial arrest, police allege that the suspect continued her illicit activities. Reports indicate she sent over 100,000 fraudulent emails to students, aiming to tarnish the university’s reputation and instill fear among its community. As part of the ongoing investigation into the cyberattack, law enforcement executed a search warrant in North Kellyville, which resulted in her re-arrest. Authorities discovered she had a mobile phone configured to function like a computer terminal, allegedly for carrying out these cyber offenses.
Multiple Charges Filed
Following her second arrest, the woman was taken to The Hills Police Station, where she faced multiple charges. These included two counts of unauthorized access with intent to commit a serious offense, two counts of fabricating false evidence aimed at misleading a judicial tribunal, and breaches of bail conditions. In addition, it was found that she had posted bogus material online in an attempt to clear her name during ongoing legal proceedings. Following these developments, bail was denied, and she was scheduled to appear in court the next day.
University’s Response to Ongoing Cyber Incidents
On October 23, 2025, Western Sydney University issued a public notification addressing the broader implications of the cyberattacks, specifically highlighting potential compromises of personal information. In a statement, the university expressed its regret over the situation, assuring the community that every effort was being made to resolve the issue.
“I want to again apologize for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community,” the statement said.
Collaboration with Law Enforcement
The university confirmed its ongoing collaboration with the NSW Police Force Cybercrime Squad’s Strike Force Docker. Despite the arrest of the former student in June 2025, attempts to breach the university’s IT systems continued, with malicious activity reported on external IT service providers.
Unusual activities were noted on August 6 and August 11, 2025, in the Student Management System hosted by a third-party provider. These incidents prompted an immediate investigation, which led to the university suspending access to the platform. It was later confirmed that unauthorized access had occurred between June 19 and September 3, 2025, allowing intruders to extract personal data from the system.
Scope of Compromised Information
According to the university’s public notification, the cyber incidents may have compromised a wide array of personal information. This includes names, contact details, dates of birth, identification numbers, employment records, bank and tax details, and even health information. Individual notifications are being sent to those affected, informing them of new developments.
The notification also urged individuals to change their passwords—suggesting at least 15 characters—and implement multi-factor authentication for their online accounts. For additional support, the university has set up a dedicated cyber incident website, a helpline for inquiries, and is providing resources through the NSW Information and Privacy Commission. Furthermore, anyone who believes their information has been misused can report it via the Australian Cyber Security Centre.
