Breach Notification , Cybercrime , Fraud Management & Cybercrime
Western Sydney University Suffers Third Major Breach in 2024
Threat Actor Compromised an IT Account and Accessed Data Warehouse, Core SystemsAustralia's Western Sydney University said hackers breached its student management system and data warehouse to steal students' demographic and enrollment information in the third data theft incident of 2024.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The Sydney-based university, which has close to 50,000 students enrolled in its undergraduate and postgraduate programs, said a threat actor on Aug. 14 compromised an IT account and used it to gain access to the Student Management System and other back-end data storage systems, including the data warehouse.
According to WSU, the Student Management System, purchased in 2021 from campus technology solutions provider Ellucian, manages "the full student life cycle from recruitment, admissions and enrolments through to the management of the progression and support of our students through their academic journey to graduation."
The unauthorized access, discovered by the university on Aug. 27 and severed on Aug. 31, enabled the threat actor to cart away a significant amount of students' personal information as well as enrollment details.
The breach followed two similar incidents disclosed in May and July this year that enabled external threat actors to gain access to the university's systems and exfiltrate vast amounts of stored data.
WSU on May 21 said threat actors gained unauthorized access to its Microsoft Office 365 environment between May 17, 2023, and January 2024 and accessed email accounts and SharePoint files associated with approximately 7,500 people. "Investigations also indicate that the university's Solar Car Laboratory infrastructure may have been used as part of the incident," WSU said.
Then on July 31, the university said malicious actors infiltrated its Isilon storage platform and gained unauthorized access to data stored in 83 of its 400 directories, totaling 580 terabytes of data that included staff and students' personal information. The unauthorized access began in July 2023 and lasted until March 16, 2024 (see: Western Sydney University Reveals Major Data Breach).
The latest incident, according to WSU, also enabled the threat actor to steal a significant amount of student data including names, addresses, university-issued email addresses, student identification numbers, tuition fee information - including fees deferred to HELP/HECS - student admission and enrolment data - including subject, results and progression information - and student demographic data, including nationality, Indigenous status, country of birth, citizenship status, gender and date of birth.
WSU said the threat actor used "sophisticated techniques to gain unauthorized access in a targeted, persistent and sustained manner," but the hacker did not demand a ransom or upload the stolen data on a data leak site.
By accessing the data warehouse, the hacker had access to data sourced from various student systems, engagement platforms, HR systems and financial systems, and other back-end systems used by the technical teams and operational staff to support the university’s day-to-day operations.
WSU said that after the threat actor's malicious access was terminated, the school initiated a month-long investigation to determine the extent of the breach and has since improved its cybersecurity protections by forcing a mandatory password reset for all staff and student accounts, implementing 24/7 security monitoring, providing additional firewall protection, migrating the Student Management System to an external provider and increasing the size of the cybersecurity team.
"The university is working with cybersecurity experts and relevant authorities across government, including the National Office of Cyber Security, Australian Federal Police, the Australian Signals Directorate's Australian Cyber Security Centre, and the NSW Information and Privacy Commission," WSU said. "The NSW Police Force's Cybercrime Squad is also conducting an active investigation."