Western Sydney University updated its community on Wednesday, 31 July 2024, on its ongoing investigation into unauthorised access to its information technology (IT) network.
Since the unauthorised access to the University’s IT network was discovered in January 2024, the University has been undertaking forensic investigations in line with its due diligence and legal obligations to determine the full nature, scope and scale of the incident.
As a result of the ongoing investigations, the University has today published a public notification on its website (www.westernsydney.edu.au/cyberincident) about unauthorised access to the University’s storage platform, known as the Isilon storage platform (Isilon). In particular, the University is drawing its public notification to the attention of its community, which includes but is not limited to our former and current staff and students.
Vice-Chancellor and President, Distinguished Professor George Williams AO, said: “On behalf of the University, I sincerely apologise for this incident and thank our community for its patience and support.”
“Our priority remains supporting and assisting our students, staff and stakeholders. We have set up a number of support services for them.”
After the University notified approximately 7,500 impacted individuals and its community about a breach to its Microsoft Office 365 environment in May 2024, the University confirmed personal information in Isilon was also subject to unauthorised access. Isilon holds My Documents information, departmental shared folders, and some backup and archived data.
The University has been and will continue to analyse the very large and complex dataset to properly understand the impact the unauthorised access to Isilon has had on individuals’ personal information. The University is now in a position to confirm:
- There is evidence of access to approximately 580 terabytes of data across 83 of the 400 directories in Isilon.
- The investigation to date indicates unauthorised access to Isilon occurred between 9 July 2023 and 16 March 2024.
- The University’s initial review of Isilon has found personally identifiable information (PII) was accessed, including names, contact details, dates of birth, health information, sensitive information relating to workplace conduct and health and safety matters, government identification documents, tax file numbers, superannuation details and bank account information.
- Based on its forensic investigation to date, the University has no evidence that this incident extends beyond the University’s Microsoft Office 365 and Isilon environments.
The University has not received any threats to disclose private information or demands in exchange for maintaining privacy. The University has dark web monitoring in place and there is no evidence to date that the data has been uploaded. The University continues to engage with the authorities in relation to the perpetrator of the Isilon incident.
The University is working with Australia’s leading digital forensics and incident response team at CyberCX and relevant authorities, including the National Office of Cyber Security, Office of the Australian Information Commissioner, NSW Information and Privacy Commission, Australian Federal Police, Australian Cyber Security Centre, Australian Signals Directorate and Home Affairs. The NSW Police Force’s Cybercrime Squad is conducting an investigation under Strike Force GIRRAKOOL.
To protect University staff, students and stakeholders, the University sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data that is the subject of the incident. This includes data in Isilon that was accessed without authorisation.
The University’s leadership and Board have taken a number of steps to remediate the issue and further protect staff and students, including completing a password reset, enhancing detection monitoring, implementing additional firewall protection, increasing the University’s cyber security team capacity, and reviewing data storage and retention practices.
The University has not detected any further unauthorised access to Isilon since remediation work took place on 16 March 2024.
The University will endeavour to notify individuals about the impact on their personal information in the coming weeks. However, due to the volume and complexity of the data, the University will not be able to issue individual notifications to all those who may be impacted.
The University’s public notification will help ensure its community stays vigilant to any signs their data may have been accessed.
Students, staff and alumni have received information today about the support services made available to them by the University. IDCARE has been engaged by the University to provide free advice and support to people who may have questions about how to protect themselves when identity information may have been compromised.
The public notification and more information about the University’s support services are available at www.westernsydney.edu.au/cyberincident.
As there are ongoing investigations and the matter is subject to ongoing court proceedings for the injunction, the University is unable to comment any further at this point.