Overview
- WSU says unauthorised access to its cloud‑hosted Student Management System occurred via linked third‑ and fourth‑party systems between 19 June and 3 September.
- A wide range of sensitive records was exposed, including bank details, tax file numbers, driver licences, passports and visas, plus health, disability and legal information.
- Data from about 10,000 students appeared on the dark web, and stolen records were used to send fraudulent emails to students and alumni on 6–7 October.
- NSW Police asked the university to delay broader notification during active inquiries, and an interim injunction restricts the transmission or publication of unlawfully obtained material.
- WSU is notifying affected individuals, working with the NSW Police Cybercrime Squad’s Strike Force Docker and third‑party providers, and no link has been established to a June arrest of a former student.