On Wednesday the 31st of July Western Sydney University issued a public statement notifying of a data breach within the University’s storage platform, ‘Isilon’. This unauthorised access affects, but is not limited to, the information of former and current students and staff.
The public statement specified that the unauthorised access effects 580 terabytes (TB) of data across 83 of 400 Isilon directories. This amount of data is the equivalent of 786,977 CDs stacked 944 metres high, this is taller than world’s tallest building, the Burj Kalifa.
The University’s investigation uncovered that the data breach was ongoing between July 9, 2023, and 16 March 2024.
The inquiry found that personally identified information was accessed, including:
- Names, contact details, dates of birth
- Heath information
- Sensitive information relating to workplace conduct and health and safety matters
- Government identification documents
- Tax file numbers
- Superannuation details
- Bank account Information
A 2023 report by the Office of the Australia Information Commissioner (OAIC) found that harm from data breaches are increasingly impacting Australians. It revealed that:
- 50% of australians feel if they want to use a service, they have no choice but to accept what the service does with their data,
- 47% of participants were told by an organisation that their personal information was involved in a data breach in the last year
- 57% care about their data privacy but don’t know what to do about it
- 32% of participants do not feel in control of their data privacy
- 76% said they had experienced harm because of a data breach
- 19% rise in authorised access incidents in late 2023
Dr Chris Fleming, Digital Cultures Tutor and Associate Professor at the School of Humanities and Communication Arts stated ‘My sense is that these sorts of events have become so common that people now expect them. To extend a bit the point I raised a moment ago, think about the fact that many browsers now – where these are integrated in certain ways with your operating systems (O/S) – give warnings like, “Several passwords have appeared in a data leak, putting these accounts at high risk of compromise,” and so on. Such warnings suggest a kind of “business as usual” model’.
The Australian Cyber Security Centre (ACSC) recommends that organisations educate staff and students on cyber threats and implement training programs, enhance password security and strengthen software systems to prevent and address data breaches.
A spokesperson from Western Sydney University issued a statement to W’SUP on 11th of September 2024. The spokesperson confirmed that the university has issued individual notifications to those most impacted so that they can access support systems
“At the time, we said we would be continuing to analyse the large and complex dataset to determine what impact the unauthorised access to Isilon had on individuals, and we would be issuing individual notifications shortly.
The University can confirm we have begun issuing individual notifications to impacted individuals so they can take steps to protect their information and access additional support services.”
The WSU spokesperson assures students, staff and stakeholders that the incident is being carefully addressed. “The University is taking this incident very seriously. We sincerely apologise for this incident and the impact it is having on our community, and we thank our community for its patience and support.”
The statement outlined the ways the University is addressing the incident including a court injunction to protect data during investigation, as well as support service information. “IDCARE has been engaged to provide free advice and support to people who may have questions about protecting themselves when identity information may have been compromised. More information about the University’s support services is available at www.westernsydney.edu.au/cyberincident.
The University is working with Australia’s leading digital forensics and incident response team at CyberCX and relevant authorities, including the National Office of Cyber Security, Office of the Australian Information Commissioner, and NSW Information and Privacy Commission.
To protect University staff, students and stakeholders, the University sought and was granted an interim injunction in the NSW Supreme Court to prevent access, use, transmission and publication of any data that is the subject of the incident. This includes data in Isilon that was accessed without authorisation.”
The spokesperson also stated that The University is adhering to ACSC recommendations to organisations regarding data breaches. “The University’s leadership and Board have taken a number of steps to remediate the issue and further protect staff and students, including completing a password reset, enhancing detection monitoring, implementing additional firewall protection, increasing the University’s cyber security team capacity, and reviewing data storage and retention practices.”
The spokesperson also highlighted that the University cannot make further comment on the incident due to court proceedings. “As there are ongoing investigations and the matter is subject to ongoing court proceedings for the injunction, the University is unable to comment any further at this point.”
If you are not satisfied with the University’s response to the incident, you can lodge a complaint or request an internal review by providing the details of your matter via email to internalreview@westernsydney.edu.au. This must be completed by 31st of January 2025.
You can also lodge an external complaint with the NSW Information and Privacy Commission (IPC), which you can contact via:
Phone: 1800 472 679
Email: ipcinfo@ipc.nsw.gov.au
Post: GPO Box 7011, Sydney NSW 2001
Website: www.ipc.nsw.gov.au