The University of Sydney has confirmed a significant data breach affecting thousands of current and former staff members, as well as students and alums.
In a message to the university community, Vice-President (Operations) Nicole Gower revealed that suspicious activity was detected in an online IT code library last week.
While this digital storage space was meant for software development, it also contained old files with sensitive personal information.
Hackers gained unauthorized access to a “code library,” a place where developers store and test computer code. The university’s security team detected the intrusion and immediately blocked the access.
Although the breach has been stopped, an investigation showed that the intruders downloaded historical files. These files were likely used for testing purposes years ago but were never removed.
Notably, the university clarified that this cyber-attack is not related to a separate technical issue involving student results that occurred earlier this week. The breach exposed personal details for thousands of people.
According to the university, the stolen data includes: Names, Dates of birth, Phone numbers, home addresses, Job titles, and employment dates.
Currently, officials state there is no evidence that the stolen data has been published online or used for fraud. However, the risk remains, and the university is monitoring the situation closely.
The breach impacts three main groups, totaling over 27,000 individuals:
| Affected Group | Approximate Number | Details |
|---|---|---|
| Current Staff | ~10,000 | Employees working at the university as of September 4, 2018 |
| Former Staff | ~12,500 | Former employees who worked there as of the same 2018 date |
| Students and Alumni | ~5,000+ | Students and graduates (mainly from 2010–2019), plus a small number of supporters |
University Response and Next Steps
The University of Sydney has launched a significant investigation that is expected to continue into January 2026.
They have also notified government authorities, including the Australian Cyber Security Centre and the NSW Privacy Commissioner.
“We understand this news may cause concern, and we sincerely apologise for any distress this may cause,” said Nicole Gower. Notifications to affected individuals began today.
The university aims to contact everyone impacted by January 2026. Security experts recommend that anyone potentially affected take the following simple steps to stay safe:
- Be Alert: Watch out for strange emails, texts, or phone calls asking for personal info. Scammers often use breached data to make their messages look real.
- Change Passwords: Update passwords for online accounts and use Multi-Factor Authentication (MFA) where possible.
- Monitor Accounts: Check bank statements and university accounts for any unusual activity.
The university has set up a dedicated Cyber Incident Support Form. It is offering free counseling services through Converge International for distressed staff.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
