Around 10,000 current and former students at Western Sydney University have had their personal information hacked in a major data breach.

Western Sydney University is the 11th largest in the country, with around 46,000 students enrolled.

In a statement, the university revealed that attackers gained access through one of its single sign-on (SSO) systems in January and February 2025, compromising demographic, enrolment, and academic progression data.

Additionally, the university discovered personal information belonging to its students posted on a dark web forum dating back to November 2024.

"Western Sydney University has been the subject of persistent and targeted attacks on our network," said Vice-Chancellor and President, Distinguished Professor George Williams AO.

"The University is very aware of the personal impact these incidents are having on its students, staff and wider community."

The university immediately engaged internal and third-party cyber experts to shut down unauthorized access when detected and has activated its incident response plan. Affected students are expected to be notified next week.

Universities are attractive targets due to their vast stores of personal data, intellectual property, and research information, combined with typically less robust security infrastructure compared to corporate environments.

Western Sydney University has sought and obtained an interim injunction from the NSW Supreme Court to prevent access, use, transmission, and publication of any data associated with the dark web post.

Multiple law enforcement and security agencies are now involved in the investigation, including the National Office of Cyber Security, Australian Federal Police, the Australian Signals Directorate's Australian Cyber Security Centre, and the NSW Information and Privacy Commission.

The NSW Police Force's Cybercrime Squad is also investigating investigate the incidents.