In a follow-up to the May 2024 announcement regarding a Western Sydney University data breach of its Microsoft Office 365 environment, WSU has now confirmed that personal information stored in its Isilon storage platform was also subjected to unauthorized access. This platform holds ‘My Documents’ information, departmental shared folders, and some backup and archived data.
In an official statement, the University noted, “We have been and will continue to analyze the very large and complex dataset to properly understand the impact the unauthorized access to Isilon has had on individuals’ personal information.”
Western Sydney University Data Breach: Key Findings
The University has confirmed the following details regarding the Western Sydney University data breach:
- Scope of Access: Evidence shows that approximately 580 terabytes of data across 83 out of 400 directories in Isilon were accessed.
- Timeline: Unauthorized access to Isilon occurred between 9 July 2023 and 16 March 2024.
- Data Compromised: The initial review has found that personally identifiable information (PII) was accessed, including names, contact details, dates of birth, health information, sensitive workplace conduct and health and safety matters, government identification documents, tax file numbers, superannuation details, and bank account information.
- Extent of WSU Data Breach: Based on the forensic investigation to date, there is no evidence that this incident extends beyond the University’s Microsoft Office 365 and Isilon environments.
Current Situation
The University has not received any threats to disclose private information or demands in exchange for maintaining privacy. Furthermore, dark web monitoring has revealed no evidence that the data has been uploaded. No further unauthorized access to Isilon has been detected since remediation efforts took place. The University continues to work with authorities to investigate the perpetrator of the Isilon incident.
Since the initial discovery of unauthorized access to its IT network in January 2024, the University has been conducting forensic investigations to determine the full nature, scope, and scale of the incident.
This public notification, issued on 31 July 2024, aims to inform the University community, including former and current students and staff, about the unauthorized access to the Isilon storage platform.
University’s Response and Actions
Western Sydney University has been proactive in addressing the breach. The University has engaged Australia’s leading digital forensics and incident response team, CyberCX, and relevant authorities, including:
- National Office of Cyber Security
- Office of the Australian Information Commissioner
- NSW Information and Privacy Commission (IPC)
- Australian Federal Police
- Australian Cyber Security Centre
- Australian Signals Directorate
- Home Affairs
- NSW Police Force’s Cybercrime Squad under Strike Force GIRRAKOOL
To protect its community, the University secured an interim injunction from the NSW Supreme Court to prevent access, use, transmission, and publication of any data that was accessed without authorization.
The University’s leadership and Board have implemented several measures to mitigate the issue and enhance protection, including:
- Completing a password reset
- Enhancing detection monitoring
- Implementing additional firewall protection
- Increasing the cyber security team capacity
- Reviewing data storage and retention practices
On 31 July 2024, the University communicated directly with its community through emails to students, staff, and alumni, providing information on protective steps and available support services.
Next Steps
The University will continue to notify individuals about the impact on their personal information in the coming weeks. Due to the volume and complexity of the data, individual notifications may not be possible for all those affected.
The public notification aims to keep the community vigilant for any signs that their data may have been accessed. The University has engaged IDCARE, Australia’s national identity and cyber support service, to offer free advice and support to those concerned about protecting themselves from identity theft.
For more information on protecting personal information, visit IDCARE or call 1800 595 160, quoting reference number WESSYDPB24. An online Get Help form is also available.
The University has established a dedicated phone line for additional support and inquiries: 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEST).
Western Sydney University remains committed to rectifying this matter transparently and keeping the community informed as the investigation progresses. The University unreservedly apologizes for the incident and its impact on the community.