In The Event Of
Get started free
W

Western Sydney University SSO Breach 2025:
What You Need to Know

Around 10,000 Western Sydney University staff and student records were exposed after attackers abused valid single sign-on credentials in early 2025. This is a separate, second-wave incident following the 2024 breach. Here is what happened, what data was leaked, and what to do next.

Breach date:25 February 2025
Records affected:~10,000
Risk level:High

Your personal risk from this breach

Sign in or create a free account to see your personalised risk score.

View My Risk

What Happened

How the WSU 2025 SSO Breach Unfolded

January-February 2025

A threat actor obtained valid single sign-on (SSO) credentials - likely via phishing or harvested infostealer logs - and used them to access internal staff and student records over a period of several weeks. Because the attacker logged in as a legitimate user, the activity bypassed many perimeter controls.

25 February 2025

Western Sydney University detected suspicious SSO access patterns and isolated the affected accounts. Forensic investigation began, and external incident-response specialists were engaged to scope the intrusion.

April 2025

WSU publicly disclosed the incident via its cyber incident notice, confirming that this was a separate intrusion from the 2024 breach but compounded exposure for affected students and staff. The OAIC was notified under the Notifiable Data Breaches scheme.

Some individuals appear in both the 2024 and 2025 WSU breach datasets - the combined exposure is significantly more serious than either incident alone.

May 2025 onwards

WSU began sending individual notifications to affected staff and students, forced a mandatory MFA reset across all SSO accounts, and tightened conditional-access policies. Identity protection support was offered to those whose government identity documents were in scope.

Source: WSU cyber incident notice (15 April 2025)

What Was Exposed

Personal Data Leaked in the Breach

The exact data exposed varies per individual depending on their role (staff vs student), enrolment status, and whether identity documents were on file. Although the overall record count is smaller than many recent Australian breaches, the per-record sensitivity is high - particularly for international students whose passport details were stored for visa compliance.

Data TypeRisk LevelWho Was Affected
Full nameHighAll approximately 10,000 affected staff and students
Student/staff ID numberMediumAll affected staff and students
Email addressHighInstitutional and personal emails on file
Phone numberHighSubset of affected staff and students
Home addressHighSubset of affected staff and students
Date of birthHighPrimarily staff records
Academic records / transcriptsMediumAffected students - grades, course enrolment, results
Identity document detailsHighSubset - TFN for staff, passport for international students, drivers licence

Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Identity-linked data (name, date of birth, address) and government-issued identifiers (TFN, passport, drivers licence) are rated higher due to their potential use in identity fraud.

Confirmed NOT Exposed

WSU confirmed that the university-wide HR payroll database was on a segmented network and was not affected. Donor and alumni payment-card data was also out of scope, as it is processed by a separate PCI-DSS environment.

University Response

What WSU Did

“We acknowledge the impact this incident has on our community and we are sorry this has happened. We are committed to supporting those affected and to strengthening our cyber resilience.”
Western Sydney University statement, April 2025

Actions Taken by WSU

  • Isolated affected SSO accounts on detection and forced a mandatory password reset
  • Engaged external incident-response specialists and notified the OAIC under the Notifiable Data Breaches scheme
  • Forced an MFA reset across all staff and student SSO accounts
  • Mandated FIDO2 hardware security keys for staff with administrative access
  • Expanded the WSU Security Operations Centre and tightened conditional access policies
  • Notified affected individuals directly and offered identity protection support, especially for those with exposed government identifiers
  • Published an ongoing cyber incident page with updates and contact details for support
WSU Cyber Incident PageOAIC Notifiable Data Breaches

What Now?

Steps You Can Take After the WSU 2025 Breach

Students often have less help navigating identity-fraud response than corporate breach victims. The combination of name date of birth address and identity document in this breach is particularly potent for impersonation. Here are practical steps, organised by the accounts most commonly affected, with Australian support routes highlighted.

University SSO and Academic Accounts

Your WSU SSO credentials were the entry point - secure them and any linked services.

Reset your WSU SSO password and enable MFA

~5 min
If you still have an active WSU account, change your SSO password to something unique (not reused on any other service), and confirm MFA is enabled. WSU mandated a reset after the incident, but it is worth verifying the change took effect and that no recovery methods have been quietly added.
MyWSU SSO portal

Review device list and email forwarding rules in MyWSU

Threat actors with SSO access commonly set up email forwarding rules or register new devices to maintain persistence. Open your WSU email settings, remove any unfamiliar devices, and delete forwarding or auto-reply rules you did not configure yourself.

Check session and sign-in history

Most identity providers (including the Microsoft 365 environment used by WSU) show recent sign-in activity. Look for sign-ins from unfamiliar locations or IP addresses, particularly in the January-February 2025 window, and report anything suspicious to WSU cyber support.

Email and Digital Identity

Institutional emails are heavily targeted for credential stuffing - secure both your WSU and personal accounts.

Strengthen personal email security

~5 min
Many students use their personal email as the recovery contact for their WSU account, and vice versa. If either is compromised, both are at risk. Update the password and enable MFA on the personal email account on file, and check connected app permissions for anything you do not recognise.

Watch for credential-stuffing attempts

Institutional email addresses (firstname.lastname@westernsydney.edu.au) are predictable and heavily targeted. Expect login attempts on services where you may have reused passwords - particularly social media, gaming, and shopping accounts. A password manager and unique passwords are the strongest defence.

Identity Protection

Government identifiers (TFN, passport, drivers licence) need specific protective steps.

Protect your Tax File Number (staff)

~15 min
If your TFN was held on file as a WSU employee and was in scope of the breach, contact the ATO via the Client Identity Support Centre on 1800 467 033. They can place additional verification on your tax record and flag the TFN as compromised so any suspicious activity is reviewed.
ATO: Tax File Number protection

Replace your passport (international students)

~30 min
If you hold an Australian passport that was on file with WSU, you can report it as compromised to the Australian Passport Office and apply for a replacement. International students holding a foreign passport should contact their home country's embassy or consulate, and may also wish to notify DFAT for awareness.
Australian Passport OfficeDFAT Smartraveller

Place a free credit ban (staff with DOB + address)

~20 min
For staff whose date of birth and address were exposed together with a government identifier, a free credit ban with the Australian credit bureaus prevents new credit from being opened in your name without additional verification. Bans can be lifted on request when you genuinely apply for credit.
Equifax AUExperian AU (formerly Illion)

Monitoring and Reporting

Australian support routes - especially important for international students less familiar with local services.

Contact IDCare for tailored support

IDCare (1800 595 160) is Australia's national identity and cyber support service. They provide free, confidential, personalised guidance for people affected by data breaches - including international students unfamiliar with AU identity-fraud response. They can build a response plan tailored to which documents were exposed.

Report passport misuse to DFAT and Scamwatch

If you see evidence your passport details are being misused (for example, a request to verify a travel document you did not initiate), report to the Australian Passport Office. General scams and identity-fraud attempts should also be reported to Scamwatch to help authorities track emerging threats.

Stay alert for academic-themed phishing

Because academic records were accessed, attackers can craft very specific phishing messages - referencing a real subject code, lecturer name, or grade. Treat any unsolicited message about your WSU account, results, or fees with caution, and verify directly through official WSU channels rather than clicking links in the message.

Not sure which of your accounts are affected?

In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.

Check My Email Free

Are You Still at Risk?

The Hidden Danger: Compound Breach Exposure

The 2025 WSU breach is the second incident at the same institution within roughly a year. If you were affected by both, or by other university-sector breaches, the combined data available to attackers is significantly more complete than any single incident.

How breach data compounds

On its own, the 2025 WSU breach exposed identity details, academic records, and government identifiers for around 10,000 people. But if your email also appears in the 2024 WSU incident, another university breach, or aggregated credential dumps like MOAB, attackers can chain that information together to build a near-complete identity profile and bypass routine verification questions.

  • Western Sydney University (2024)Prior incident at the same institution - many overlapping records
  • University of Sydney (2023)~95K records - student and staff personal details
  • University of Wollongong (2023)~95K records - similar university sector exposure
  • MOAB (2024)26B aggregated records - where SSO credentials were likely sourced

If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.

Were you affected?

Find out in 30 seconds. Free to check.

Check My Email Free

No credit card required.

Frequently Asked Questions

WSU 2025 Breach FAQ

Sources

  1. Western Sydney University: Cyber incident notice (15 April 2025)
  2. iTnews: "Western Sydney University targets file-sharing sites hosting stolen data"
  3. ACS Information Age: "Western Sydney Uni suffers data breach, again"
  4. OAIC: Notifiable Data Breaches scheme
  5. Australian Passport Office
  6. ATO: Tax File Number protection
  7. IDCare - national identity and cyber support service
  8. OAIC: What is personal information? (Privacy Act 1988 categories)
  9. OAIC: Australian Privacy Principles

Other Major Australian Data Breaches

Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.

NYC Health + Hospitals Data Breach 2026

~1.8M records exposed

Critical

Australian Courts Data Breach 2026

Thousands of files records exposed

Critical

youX Data Breach 2026

~444K records exposed

High

Prosura Data Breach 2026

300K-500K records exposed

High

Canvas (Instructure) Data Breach 2026

~275M (claimed) records exposed

Medium

Booking.com Data Breach 2026

Undisclosed records exposed

High

McGraw Hill Data Breach 2026

13.5M records exposed

High

Crunchyroll Data Breach 2026

Undisclosed records exposed

High

Eurail Data Breach 2026

300K+ records exposed

High

Basic-Fit Data Breach 2026

1M records exposed

High

Under Armour Data Breach 2025

72M records exposed

High

Salesforce (ShinyHunters) Data Breach 2025

~1B records exposed

High

Allianz Life Data Breach 2025

2.8M records exposed

High

Workday Data Breach 2025

Undisclosed records exposed

Medium

Genea Fertility Data Breach 2025

940K records exposed

Critical

DeepSeek Data Breach 2025

1M records exposed

Medium

Tangerine Telecom Data Breach 2024

232K records exposed

High

Australian Clinical Labs Data Breach 2022

223K records exposed

Critical

Qantas Data Breach 2025

5.7M records exposed

High

Optus Data Breach 2022

9.8M records exposed

Critical

Medibank Data Breach 2022

9.7M records exposed

Critical

Latitude Financial Data Breach 2023

14M records exposed

Critical

MyDeal (Woolworths) Data Breach 2022

2.2M records exposed

High
View all breach guides →

Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with Western Sydney University. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.