The University of Sydney has recently confirmed a significant cybersecurity breach that has compromised personal information belonging to thousands of its current and former staff, as well as some students, alumni, and supporters. On December 18, 2025, the university disclosed the incident to the community after detecting unauthorized access to an internal online IT code library.
University officials noted that the suspicious activity was identified during their routine monitoring of the platform, which is primarily designed for software development and code storage. Although this system was not meant to hold personal records, investigators discovered that historical data files, kept primarily for testing purposes, were inadvertently stored there. These files were accessed and downloaded by an unauthorized party before any interventions occurred.
Upon discovering the breach, the University of Sydney acted quickly to block unauthorized access and secure the affected environment. Officials made it clear that this incident was not connected to a previous breach regarding student results that had been reported earlier.
Understanding the Cybersecurity Breach
Initial investigations suggest that the data breach has affected a diverse group of individuals. Notably, the compromised files included a dataset from a retired system, containing personal information about university staff employed as of September 4, 2018. The exposed details included names, birthdates, telephone numbers, home addresses, and fundamental employment information such as job titles and employment dates.
In total, the personal data of approximately 10,000 current staff and affiliates, along with about 12,500 former staff and affiliates from that time frame, was accessed. Additionally, historical datasets from between 2010 and 2019 contained personal details related to around 5,000 students and alumni, as well as information on six supporters.
The Vice President for Operations, Nicole Gower, conveyed the scope of the cyberattack in a written message to staff, expressing her apologies for the situation. “We understand this news may cause concern, and we sincerely apologize for any distress this may cause,” Gower noted. She added, “While the data has been accessed and downloaded, there is currently no evidence that it has been used or published.”
Investigative Actions and Official Notifications
The University of Sydney has promptly reported the breach to several government bodies, including the NSW Privacy Commissioner, the Australian Cyber Security Centre, and others. The institution is collaborating with external cybersecurity partners to evaluate whether the accessed data has been disclosed publicly online.
As of now, university officials believe that the unauthorized access was restricted to a single platform, with no indication that other university systems were compromised. However, due to the complexity of the situation, the investigation will continue into the new year.
Notifications to affected individuals began on December 18, 2025, and the university aims to complete this outreach by January 2026. The timeline depends on the completion of file reviews and confirmation of contact details for all impacted individuals. The university is also providing updates and answers to frequently asked questions on its website as the situation develops.
Support Services for Affected Individuals
In light of the data breach, the University of Sydney has set up a range of support services specifically for staff, students, alumni, and affiliates. A dedicated cyber incident support service is available to manage inquiries, and this service will operate during the university’s closure from December 20, 2025, to January 5, 2026, excluding public holidays.
Staff members can access counseling and wellbeing support through Converge International, while students have the option of free and confidential assistance via Student Wellbeing services, which are available 24/7. Additional resources are provided through external organizations like ID Support NSW, IDCARE, Beyond Blue, and Lifeline.
The university has also advised those affected to stay vigilant by monitoring their accounts for any unusual activity, changing passwords, enabling multi-factor authentication, and being cautious about phishing attempts. Officials have encouraged individuals to share details of the incident on social media to minimize the potential for scams.
University leadership has reiterated their commitment to cybersecurity, highlighting that an extensive program to enhance data management practices has been in place for the last three years. Further updates will be shared as the investigation into this cyberattack progresses and new findings emerge.
