In The Event Of
Get started free
U

University of Sydney Data Breach 2025:
What You Need to Know

Approximately 27,000 current and former University of Sydney staff, affiliates, alumni and students had personal data exposed after an internal code library was accessed without authorisation in December 2025. Here is what happened, what data was leaked, and what to do next.

Disclosed:18 December 2025
Records affected:~27,000
Risk level:High

Your personal risk from this breach

Sign in or create a free account to see your personalised risk score.

View My Risk

What Happened

How the University of Sydney 2025 Breach Unfolded

Historical (primarily 2010-2019)

Historical PII data files - test extracts from a now-retired University of Sydney system - were stored alongside development code in an internal IT code library. The data covers staff, affiliates, alumni and students from across the 2010-2019 period and was retained in the repository rather than being purged after the original test work concluded.

Dev-environment data leaks - where production-shaped PII is left in code repositories after testing - are one of the most common but least visible causes of breach.

Mid-December 2025

The University of Sydney detected suspicious activity in a single IT system used mainly to develop software. Access was blocked immediately once the intrusion was discovered and containment measures were implemented while a forensic investigation began.

18 December 2025

The University publicly notified the cyber and data breach and confirmed approximately 27,000 individuals were affected. The NSW Privacy Commissioner, the Australian Cyber Security Centre (ACSC), the Tertiary Education Quality and Standards Agency (TEQSA), the National Student Ombudsman and ID Support NSW were notified.

Late December 2025 - January 2026

The University began contacting affected individuals directly. Current staff were notified in late December 2025, former staff and affiliates in the week of 19 January 2026, and former students and alumni from the week of 26 January 2026. The University stated that, as of disclosure, there was no evidence the data had been used or published.

Notification was staggered while the University identified current contact details for individuals from a 2010-2019 dataset - many former students no longer had active Sydney Uni accounts.

Source: University of Sydney official notification (18 December 2025)

What Was Exposed

Personal Data Exposed in the Breach

The accessed dataset is a historical extract from a retired University of Sydney system, primarily covering the 2010-2019 period. The total population is approximately 27,000 individuals: about 10,000 current staff and affiliates, roughly 12,500 former staff and affiliates, and approximately 5,000 alumni and students, plus a small number of supporters.

Data TypeRisk LevelWho Was Affected
Full nameHighAll approximately 27,000 affected individuals
Date of birthHighAll approximately 27,000 affected individuals
Residential addressHighAll approximately 27,000 affected individuals
Phone numberHighAll approximately 27,000 affected individuals
Employment detailsMediumCurrent and former staff and affiliates

Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Identity-linked data (name, date of birth, residential address) is rated higher due to its potential use in identity fraud. Employment details are rated lower in isolation but become meaningful when combined with the other fields for impersonation.

Confirmed NOT Exposed

The University of Sydney stated that academic records, grades, course information, research data, financial information, identity documents and authentication credentials (passwords) were not in scope of this incident. The breach was limited to identity and contact data held in a historical test extract.

University Response

What the University of Sydney Did

“To our knowledge, the data accessed has not been used or published. We are sorry this incident has occurred and we are contacting all impacted individuals directly.”
University of Sydney notification, 18 December 2025

Actions Taken by the University

  • Blocked the unauthorised access immediately on detection and applied containment measures
  • Engaged forensic investigators to determine the scope of data accessed
  • Notified the NSW Privacy Commissioner, the Australian Cyber Security Centre, TEQSA, the National Student Ombudsman, and ID Support NSW
  • Directly contacted affected current staff in late December 2025
  • Contacted former staff and affiliates from the week of 19 January 2026
  • Contacted former students and alumni from the week of 26 January 2026
  • Published an ongoing cyber incident support page and FAQs
Official NotificationCyber Incident FAQsOAIC Notifiable Data Breaches

What Now?

Steps You Can Take After the University of Sydney Breach

The combination of name date of birth residential address and phone number is the textbook starter dataset for identity fraud and SIM-swap attacks. Even though no academic, financial or identity-document data was exposed, the practical steps below are worth taking to limit downstream risk.

University Accounts and Communications

Stay alert to USYD-themed phishing and confirm your contact details are current with the University.

Verify any USYD communication through known channels

~2 min
Attackers can reference your name, date of birth and historical USYD affiliation to make phishing messages look authoritative. If you receive unsolicited email, SMS or calls citing your University of Sydney record, do not click links or return calls from the message - navigate directly to sydney.edu.au or call the published support numbers.

Confirm your contact details if you are still affiliated

If you are a current student, staff member or affiliate, log in to your USYD account and confirm the email address and phone number on file are current. The University used direct email and post to notify affected individuals; out-of-date details can mean you miss further communications.

Identity Protection

Name + date of birth + address is the most common combination used to verify identity at financial institutions.

Consider a free credit ban

~20 min
With date of birth and residential address exposed, a free credit ban with the Australian credit bureaus prevents new credit from being opened in your name without additional verification. Bans can be lifted on request when you genuinely apply for credit.
Equifax AUExperian AU (formerly Illion)

Set a port-out PIN with your mobile carrier

~10 min
Because phone number is part of the exposed dataset, setting a port-out PIN with your mobile carrier blocks SIM-swap attacks that can be used to intercept MFA codes on banking, email or other critical accounts.
Telstra securityOptus security

Strengthen your personal email security

Where the same email address used with USYD historically is still active, update its password to something unique and enable MFA. Email is the single most common pivot point for identity fraud follow-up because so many recovery flows rely on it.

Password and Account Hygiene

No password data was in scope of this incident, but good hygiene reduces follow-on risk from compound breaches.

Rotate passwords on services that reuse the same credentials

~15 min
If you have ever used the same password on multiple services, this is a good moment to generate unique replacements via a password manager. Attackers commonly combine breached PII with credential-stuffing attempts to escalate access elsewhere.

Enable MFA on critical accounts (email, banking, gov)

MFA on your primary email account, MyGov, ATO and bank accounts adds a layer that breached PII alone cannot bypass. Authenticator apps are preferred to SMS where supported.

Monitoring and Reporting

Free Australian support routes - particularly useful for former students who may no longer have an active USYD contact.

Contact ID Support NSW or IDCare

The University of Sydney directly notified ID Support NSW as part of its response - that service offers tailored support to NSW residents whose identity data has been exposed. For broader Australia-wide guidance, IDCare (1800 595 160) provides free, confidential, personalised response plans.

Report scams to Scamwatch

If you receive a suspicious message referencing your University of Sydney record or details, report it to Scamwatch. Reports help track emerging USYD-themed scam campaigns and alert other potential targets.

Not sure which of your accounts are affected?

In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.

Check My Email Free

Are You Still at Risk?

The Hidden Danger: Compound Breach Exposure

The USYD 2025 incident is one of several recent Australian tertiary-sector breaches. If your data also appeared in another university breach, the combined dataset becomes more useful to attackers than any single incident on its own.

How breach data compounds

The USYD breach exposes name, date of birth, address, phone and employment details for ~27,000 people. On its own, that is enough for convincing phishing. Combined with an identity document from another university breach (such as the WSU 2025 SSO incident), or with sensitive health data from a separate Australian breach, the combined data profile is materially more useful for impersonation.

  • Western Sydney University (2025)~10K records - SSO breach exposing identity documents and grades
  • Western Sydney University (2024)Prior incident at same sector institution - overlapping audience
  • UWA Callista Student System (2026)Names, partial DOB, postcodes, phone - AU tertiary sector
  • Genea Fertility (2025)~940K records - broader AU PII overlap with sensitive health data

If your email appears in two or more of these breaches, your risk level is meaningfully elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.

Were you affected?

Find out in 30 seconds. Free to check.

Check My Email Free

No credit card required.

Frequently Asked Questions

USYD 2025 Breach FAQ

Sources

  1. University of Sydney: Notification of cyber and data breach (18 December 2025)
  2. University of Sydney: Cyber incident support and frequently asked questions
  3. BleepingComputer: "University of Sydney suffers data breach exposing student and staff info"
  4. SecurityWeek: "University of Sydney Data Breach Affects 27,000 Individuals"
  5. The Record: "University of Sydney reports data breach affecting over 20,000 staff, affiliates"
  6. EdScoop: "University of Sydney data breach exposed personal information of 27,000 individuals"
  7. ID Support NSW
  8. IDCare - national identity and cyber support service
  9. OAIC: Notifiable Data Breaches scheme
  10. OAIC: What is personal information? (Privacy Act 1988 categories)
  11. OAIC: Australian Privacy Principles

Other Major Australian Data Breaches

Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.

UWA Callista Student System Data Breach 2026

Undisclosed records exposed

Medium

NYC Health + Hospitals Data Breach 2026

~1.8M records exposed

Critical

Australian Courts Data Breach 2026

Thousands of files records exposed

Critical

youX Data Breach 2026

~444K records exposed

High

Prosura Data Breach 2026

300K-500K records exposed

High

Canvas (Instructure) Data Breach 2026

~275M (claimed) records exposed

Medium

Booking.com Data Breach 2026

Undisclosed records exposed

High

McGraw Hill Data Breach 2026

13.5M records exposed

High

Crunchyroll Data Breach 2026

Undisclosed records exposed

High

Eurail Data Breach 2026

300K+ records exposed

High

Basic-Fit Data Breach 2026

1M records exposed

High

Under Armour Data Breach 2025

72M records exposed

High

Salesforce (ShinyHunters) Data Breach 2025

~1B records exposed

High

Allianz Life Data Breach 2025

2.8M records exposed

High

Workday Data Breach 2025

Undisclosed records exposed

Medium

Western Sydney University Data Breach 2025

10K records exposed

High

Genea Fertility Data Breach 2025

940K records exposed

Critical

DeepSeek Data Breach 2025

1M records exposed

Medium

Tangerine Telecom Data Breach 2024

232K records exposed

High

Australian Clinical Labs Data Breach 2022

223K records exposed

Critical

Qantas Data Breach 2025

5.7M records exposed

High

Optus Data Breach 2022

9.8M records exposed

Critical

Medibank Data Breach 2022

9.7M records exposed

Critical

Latitude Financial Data Breach 2023

14M records exposed

Critical

MyDeal (Woolworths) Data Breach 2022

2.2M records exposed

High
View all breach guides →

Guides to read next

In The Event Of is an Australian digital footprint manager that helps you find the accounts linked to your email, see your breach exposure, and work through a prioritised action plan. These guides walk through the steps:

What to do if your email is in a data breach

How to secure your email after a data breach

How to find accounts linked to your email

Digital footprint checklist

Browse all guides →

Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with The University of Sydney. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.