How is this different from the August 2025 UWA password breach?

These are two separate incidents. In August 2025, UWA detected unauthorised access to its university password store and force-reset all staff and student passwords over a single weekend. The May 2026 incident is an entirely different intrusion: UWA system access credentials were unintentionally exposed online, allowing unauthorised external access specifically to the Callista Student Information Management System. This time, UWA did not require a campus-wide password reset because MFA was already in place on UWA systems. The data exposed is different too - the 2025 incident concerned password data, while the 2026 Callista incident exposed enrolment, contact and partial date-of-birth details.

Were credit card, passport or Medicare details exposed?

No. UWA confirmed that credit card details, tax file numbers, medical records, passport information and bank account details were not stored in the Callista database and were therefore not affected by this incident. The exposure is limited to identity and contact information, partial date of birth (day and month only, not year), postcode and enrolment status.

Was my full date of birth exposed?

No. According to UWA, only the day and month of your date of birth were stored in Callista and exposed - your birth year was not. That materially reduces the identity-fraud risk associated with this breach compared to incidents that expose the complete date of birth.

Do I need to reset my UWA password?

UWA has not asked affected individuals to reset their UWA password as a result of this incident, because MFA was already in place on UWA systems and password data was not in scope of the Callista breach. That said, if you reuse your UWA password on any other service, the standard advice still applies: use a unique password for every account, ideally generated and stored in a password manager.

How will I know if I was affected?

UWA has directly contacted anyone whose data may have been accessed, primarily by personal email address. Affected individuals include some prospective students, some current students and some recent graduates. If you were a UWA student enrolled or in the application pipeline up to around April 2026 and have not heard from UWA, it is reasonable to assume you were not in scope - but you can also email the UWA support address listed in their disclosure to confirm.

Is it safe to assume the risk really is low?

UWA describes the risk as low based on the type of information exposed and the absence (as of disclosure) of evidence the data has been used maliciously. However, names, personal email addresses and phone numbers can still be used to craft convincing phishing messages - particularly if those messages reference UWA accurately. The most pragmatic response is to treat any unsolicited communication referencing your UWA enrolment with caution, verify directly with UWA via known channels, and follow the practical steps in the 'What Now?' section of this guide.

UWA Callista Student System Breach 2026:
What You Need to Know

The University of Western Australia confirmed an unauthorised external access incident affecting its Callista Student Information Management System, detected on 28 May 2026 and disclosed publicly on 8 June 2026. Here is what happened, what data was exposed, and what you can do next.

Detected:28 May 2026

Disclosed:8 June 2026

Risk level:Medium

Your personal risk from this breach

View My Risk

What Happened

How the UWA Callista 2026 Breach Unfolded

Pre-incident

UWA system access credentials for the Callista database were unintentionally exposed online. UWA has subsequently described the intrusion as a “random attack” rather than a targeted operation against the University.

28 May 2026

The UWA IT team identified an incidence of unauthorised external access to the Callista database - the University's Student Information Management System. UWA IT moved to contain the access and began an investigation to determine the scope of the exposure.

Late May - early June 2026

UWA investigated which records had been accessed and notified relevant authorities. The University confirmed that credit card details, tax file numbers, medical records, passport information and bank account details were not stored in the Callista system and were not affected. UWA also removed the underlying vulnerability that enabled the access.

Callista holds enrolment and contact details, not financial or government identifier data - which kept this incident materially less severe than other Australian university breaches.

8 June 2026

UWA disclosed the incident publicly and began contacting affected individuals directly. UWA stated that, while it assesses the risk as low and has no evidence the information has been used maliciously, affected individuals should practise heightened personal digital security vigilance. Unlike the August 2025 UWA password store breach, the University did not force a campus-wide password reset this time, citing existing MFA controls on UWA systems.

Source: UWA Callista database security vulnerability disclosure (8 June 2026)

What Was Exposed

Personal Data Exposed in the Breach

Callista is UWA's Student Information Management System, so the exposed records primarily concern current students, recent graduates and prospective students whose details were on file. Some staff records are also in scope where the individual is also registered as a student. UWA's disclosure provides an explicit list of the fields involved.

Data Type	Risk Level	Who Was Affected
Full name	High	All affected current and former students
UWA Student ID	Medium	All affected students
UWA Staff ID	Medium	Where applicable (staff who are also students)
Personal email address	High	All affected current and former students
Home and mobile phone numbers	High	All affected current and former students
Date of birth (day and month only)	Medium	All affected current and former students
Postcode	Low	All affected current and former students
Enrolment status (as at 2 April 2026)	Low	All affected current and former students

Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Identity-linked data (name, partial date of birth) is rated higher than postcode or enrolment status, although the absence of the birth year and full residential address materially reduces the identity-fraud risk profile of this breach compared with other recent incidents.

Confirmed NOT Exposed

UWA confirmed the following were not stored in Callista and were not affected: credit card details, tax file numbers, medical records, passport information and bank account details. Full residential address (only postcode was stored) and full date of birth (only day and month were stored) were also outside the scope of the exposed data.

University Response

What UWA Did

“While we assess the risk as low and have no evidence that information has been used maliciously, we recommend affected individuals practise heightened personal digital security vigilance.”
UWA Callista database security vulnerability disclosure, 8 June 2026

Actions Taken by UWA

UWA IT identified the unauthorised external access on 28 May 2026 and moved to contain it
Investigated the scope of the exposure and notified relevant authorities
Removed the underlying vulnerability that allowed access (UWA system access credentials had been unintentionally exposed online)
Confirmed that financial, identity-document, banking and medical data were not stored in Callista and not affected
Directly contacted any individual whose data may have been accessed - primarily by personal email address
Published a dedicated Callista security vulnerability page with FAQs and ongoing updates
Did not require a campus-wide password reset (in contrast to the August 2025 incident) because MFA was already in place on UWA systems

UWA Callista Disclosure Page OAIC Notifiable Data Breaches

What Now?

Steps You Can Take After the UWA Callista Breach

The data exposed here is less severe than many recent Australian breaches - no financial details, no passport, no full date of birth - but the combination of name personal email and phone number is still enough to power convincing UWA-themed phishing. The practical steps below focus on phishing awareness, account hygiene and monitoring, organised by the surfaces most likely to be targeted.

Phishing and UWA-themed Communications

Your name, personal email and phone number can be used to make UWA-themed scams look real - treat unsolicited messages with care.

Verify any UWA communication through known channels

~2 min

If you receive an unsolicited email, SMS or phone call referencing your UWA enrolment, do not click the links or return the call from the message. Instead, navigate directly to uwa.edu.au or call UWA via the published switchboard. UWA's own advice is to use the AskUWA portal or contact the alumni relations team for verification.

Be sceptical of messages that quote your Student ID

Attackers can reference your name and UWA Student ID to make a fake email or call sound authoritative. Quoting an ID does not prove the sender is UWA. If anything in the message creates urgency (deadlines, fee payments, account suspension), pause and verify through an independent channel.

Personal Email and Digital Identity

Your personal email is the key channel UWA will use to reach you - and it is also the most common target for credential-stuffing follow-up.

Strengthen the personal email account on file

~5 min

Update the password and enable MFA on the personal email address you provided UWA. Check that your recovery phone number is current and that no unfamiliar forwarding rules or connected apps have been added. This is the most common pivot point attackers use after a contact-data breach.

Check for credential reuse across services

If you have ever reused the same password across multiple services, now is a sensible time to rotate it. Use a password manager to generate and store a unique password for each account. Even without a password leak in this incident, the broader data exposure makes targeted phishing more effective.

UWA Password and MFA

UWA has not required a reset, but a quick review of MFA status is still worthwhile.

Confirm MFA is active on your UWA SSO account

~5 min

UWA cited existing MFA controls as the reason no campus-wide password reset was required. If you are a current student or staff member, log in to your UWA SSO account and confirm MFA is enabled, the registered authenticator app or phone number is current, and there are no unfamiliar trusted devices listed.

Rotate your UWA password if you reuse it elsewhere

Although password data was not in scope of this breach, the standard advice still applies: do not reuse your UWA password on any other service. If you do, generate a unique replacement now using a password manager - the effort is low and removes the credential-stuffing pathway entirely.

Monitoring and Reporting

Australian support routes for breach response and identity protection.

Contact IDCare for tailored support

IDCare (1800 595 160) is Australia's national identity and cyber support service. They provide free, confidential guidance tailored to which fields were exposed in your specific case - useful if you also appear in other recent Australian breaches and want a consolidated response plan.

Report scams to Scamwatch

If you receive a suspicious message referencing your UWA details, report it to Scamwatch. Reports help the ACCC and partner agencies track emerging UWA-themed scam patterns and alert other potential targets.

Reach out to UWA support if you need help

UWA's disclosure page directs current students to the AskUWA portal and former students or alumni to alumnirelations@uwa.edu.au. The Living Room at Reid Library is available for wellbeing support on campus.

Not sure which of your accounts are affected?

In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.

Check My Email Free

Are You Still at Risk?

The Hidden Danger: Compound Breach Exposure

On its own, the Callista incident is materially less severe than many recent Australian breaches. But UWA students and staff may also appear in the August 2025 UWA password store breach, in other university-sector breaches, or in broader Australian incidents. When several breaches overlap, the combined dataset becomes much more useful for impersonation.

How breach data compounds

The Callista breach exposes contact details, partial date of birth and enrolment status - nothing that, by itself, enables identity fraud. But chained with password data from the August 2025 UWA incident, or with identity-document fields from another university breach, the combined picture is materially more useful to attackers than any individual leak.

UWA Password Store Breach (August 2025)Separate incident at the same institution - all staff and student passwords force-reset
Western Sydney University (2025)~10K records - SSO breach exposing identity documents and grades
Genea Fertility (2025)~940K records - Australian breach with broad PII overlap
University of Sydney (2023)Identity and contact details for the broader AU university sector

If your email appears in two or more of these breaches, your risk level is meaningfully elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.

Were you affected?

Find out in 30 seconds. Free to check.

Check My Email Free

No credit card required.

Frequently Asked Questions

UWA Callista Breach FAQ

UWA Support Resources

Who to Contact at UWA

Current students: log in to the AskUWA portal via your UWA SSO account for personalised support and to confirm whether your record was affected.
Former students and alumni: email alumnirelations@uwa.edu.au for support and questions about your historical record.
Wellbeing support on campus: The Living Room at Reid Library is open to students who would like in-person assistance.
Independent identity and cyber support: contact IDCare on 1800 595 160 for free, tailored guidance independent of UWA.

Sources

Other Major Australian Data Breaches

Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.

University of Sydney Data Breach 2025

~27K records exposed

UWA Callista Student System Breach 2026:What You Need to Know