Western Sydney University has confirmed that personal information stolen in previous cyber-attacks was unlawfully published on web forums in 2025, breaching a NSW Supreme court injunction designed to prevent such disclosure.

The university detected the unauthorised publication through enhanced cyber monitoring capabilities and successfully removed the full data sets. However, a sample dataset has been accessible on the dark web from 1 November 2024 and remains live.

"Our University has been relentlessly targeted in a string of attacks on our network. This has taken a considerable toll on our community, and for that, I am deeply sorry," said Vice-Chancellor George Williams in a statement yesterday.

The published data originated from two separate incidents: a Student Management System breach notified in October 2024, and a single sign-on systems compromise announced in April 2025. Information included tax file numbers, passport details, bank account information, and sensitive health data.

A dark web post containing sample data from the October incident was discovered on 24 March 2025, dated 1 November 2024.

“The University securely downloaded the sample data and undertook forensic analysis which confirmed it contained legitimate University data. The University did not purchase the larger dataset as it does not participate in the proceeds of crime and will not pay for information that has been unlawfully obtained.”

“The nature of the dark web means it is not possible to issue takedown notices to dark web forums,” the University stated.

Additional open web and dark web posts appeared between 4-8 June 2025, linking to the full datasets available for download.

The university's rapid response protocol enabled takedown notices to be issued to open web forums within eight hours of detection. All open web datasets were removed by 8 June 2025, with the dark web material becoming inaccessible by 20 June 2025.

"I'd like to thank the NSW Police who recently charged a former student from the University in relation to cyber offences," Williams said. NSW Police arrested the former student on 25 June 2025, alleging involvement in unauthorised system access and threats to sell confidential information.

The incident affects current and former students and staff across Western Sydney University, The College, The International College, and Early Learning Ltd. The university has engaged IDCARE to provide free identity protection advice to affected individuals.

Security enhancements implemented include 24/7 monitoring capabilities, additional firewall protection, expanded cyber security teams, and multi-factor authentication rollout for staff, with student implementation underway.

The University stated it is continuing to work with the National Office of Cyber Security, Australian Federal Police and Australian Signals Directorate's Australian Cyber Security Centre on ongoing investigations.