Hackers gained access to an online coding repository belonging to the University of Sydney and stole files with personal information of staff and students.
The institution said the breach was limited to a single system and was detected last week. It promptly shut down the unauthorized access and notified the New South Wales Privacy Commissioner, the Australian Cyber Security Centre, and education regulators.
“Last week, we were alerted to suspicious activity in one of our online IT code libraries. We took immediate action to protect our systems and community by blocking the unauthorised access and securing the environment,” reads the announcement.
“While principally used for code storage and development, unfortunately, there were also historical data files in this code library containing personal information about some members of our community.”
The personal data stolen in the attack impacts more than 27,000 individuals as follows:
- 10,000 current staff and affiliates employed or affiliated as of 4 September 2018
- 12,500 former staff and affiliates from the same date
- 5,000 students and alumni (from datasets dated roughly 2010–2019), plus six supporters
The staff data includes names, dates of birth, phone numbers, home addresses, and job details.
Although the university confirmed that this data was accessed and downloaded, it underlined that it found no evidence that it had been published online or misused.
The University of Sydney is a public university, one of the largest and most important in Australia, with 70,000 students and 10,000 academic and administrative staff.
The educational institute has started informing impacted individuals via personalized notifications today and expects to complete this process by next month.
A dedicated cyber-incident support service has also been established to provide counseling and support for affected individuals. A FAQ page has also been published and will be updated with new information from the investigation in progress.
Affected staff and students are advised to remain vigilant for unsolicited communications requesting additional information, change their online account passwords, and enable multi-factor authentication (MFA) where possible.
BleepingComputer has contacted the University of Sydney to request more details about the attack, but we are still waiting for a response.
In September 2023, the organization suffered another data breach from a third-party service provider, which exposed the personal information of international applicants at the time.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.