Massive phishing attack on Western Sydney University

On October 6, 2025, students and alumni of Western Sydney University (WSU) were targeted by a massive phishing attack via fraudulent emails. The messages claimed that their academic degrees had been revoked and that they were permanently excluded from the university. The following day, the university confirmed that these emails were not legitimate and were indeed an attempt at fraud.

Prior to this attack, Western Sydney University had detected two instances of unusual activity on 6 and August 11, 2025. This activity occurred in the university's Student Management System, hosted on a third-party cloud platform. The university instructed the third-party provider to shut down access to its platform and launched an investigation that confirmed that unauthorized access to this system was gained through another system linked to that platform between June 19 and September 3, 2025.

The compromised personal information includes a wide variety of data such as name, date of birth, personal identification numbers, address, email, phone number, place of birth, nationality, employment and payroll details, bank account, driver's license, passport, and other personal information.

The university's investigation confirmed that the fraudulent emails sent to some students and alumni on October 6 used data stolen during these previous intrusions.