Western Sydney University students have cast doubt on the institution’s statements about a series of cyberattacks, after fraudulent emails containing private personal information were sent to those who were not enrolled when the last reported attack occurred.
The university says it has launched a forensic review into the incident on Monday, when thousands of students and graduates were sent fraudulent emails from an official Western Sydney University email address informing them their degrees had been revoked.
Western Sydney University has launched a forensic review into the incident and is co-operating with police.Credit: Sitthixay Ditthavong
Vice chancellor George Williams said on Wednesday the emails had been sent using “previously stolen information”. The university reported three hacks between 2023 and 2025, the most recent in January and February.
Students who enrolled in the past few months, after the last reported hack, were caught up in this week’s email attack and their personal details were accessed, raising questions about whether the university failed to identify or publicly report a separate hack.
The Herald has seen documentation from several students who enrolled in the university as late as June, months after the last reported cyberattack, who received emails on Monday that contained information including full names and unique student identification numbers.
Alice, a law student who requested her surname be withheld to protect her online identity, received an offer to enrol in a course on June 19, and set up her university account in the following days.
A University of Western Sydney student made an application in April, after the last reported data breach, but received the email with private information on Monday.Credit: Screenshots supplied
“I’m a new student who began studying this semester, after the last hack, yet I also received the fake expulsion email with my student number and full name,” she said.
“I was not registered with WSU in any capacity before June, so my student number, personal email and name could not have been involved in a past breach.”
Read the full article here
