Western Sydney University’s Kingswood campus. Photo: Megan Dunn.
Western Sydney University (WSU) says previously stolen information was used to send out emails to students and alumni claiming their degrees had been revoked.
Many WSU students and graduates were sent into a panic on Monday night after receiving emails, to their personal email accounts, declaring they had been “excluded” from the university.
“It was very threatening and claimed that the board of trustees had reached a decision to revoke my degree… this would have put my entire academic and teaching career in jeopardy,” WSU student Deanna told the Weekender.
“The email had my full name and student number. For 20 minutes or so I thought this might be real, my entire life and a decade of hard work was down the drain.”
WSU moved quickly to dismiss the emails as a scam, before referring the matter to police and launching their own investigation.
The latest incident comes after a former student was charged over a series of cyber-attacks on the university spanning over a four-year period.
WSU Vice-Chancellor and President George Williams said the university had been “under repeated attack for some time”.
“Unfortunately, the attacks on our system have not stopped, as shown by the malicious emails sent on Monday,” he said.
“Our team is working night and day to improve our cyber security.”
Williams said on Wednesday that this was not a case of a fresh hack into the university’s systems.
“In this case, no data was stolen and there is no perpetrator within our system. Instead, an unauthorised person accessed an automatic email generator and populated it with previously stolen information to send out the emails,” he said.
“This occurred on Monday, with our cyber team shutting down the system as soon as this became apparent. We were able to prevent many thousands of additional emails from being sent. The system is fully contained, and we are making sure this cannot be replicated.”
The emails appeared legitimate with none of the usual scam red flags.
“We regret to inform you that, following a thorough review, the decision has been made to permanently exclude you from any further study at Western Sydney University,” the scam email read.
“As a result, any existing certificates or awards previously issued to you are hereby revoked.”
A second email was sent to students containing a message criticising the University’s alleged failure to address known security vulnerabilities.
A WSU spokesperson confirmed the emails were not legitimate, and that the issue was in the hands of police.
“Western Sydney University is aware of fraudulent emails sent to students and graduates, with some falsely claiming that they have been excluded from the University or that their qualifications have been revoked,” a spokesperson for WSU said.
“These emails are not legitimate and were not issued by the University. We are reaching out to inform people that the email is fraudulent and have informed NSW Police.
“We sincerely apologise for any concern this may have caused.”
WSU’s Student Representative Council responded to the email drama, saying it condemns the breach of students’ private information.
“We unequivocally condemn the actions of the hacker and express our concern for all students and staff affected,” it said in a statement.
“However, we are deeply concerned with the University’s ongoing failure to adequately protect students’ personal and academic data. Students deserve confidence that their information is secure, and their wellbeing prioritised.
“We urge Western Sydney University to take immediate and transparent action to strengthen data security and rebuild confidence within the student community.
“We share the anger, frustration, and disappointment of the students and alumni who have been affected; many of whom woke [on Monday] fearing their enrolments and awards had been revoked.”
While WSU is undergoing financial stress and job losses, Williams said it retains strong cyber security measures.
“I see this as a non-negotiable requirement for us to operate as a university. We must look after our people as a bedrock of our teaching and research,” he said.
“This year alone we have spent $26 million on improving our cyber position, with a similar amount projected for next year.
“This has been invested in our teams, our systems and in external support. This is an area where we have used consultants to ensure we have the advice and deep expertise needed. Their engagement also provides us with the external assurance that we are on the right track.”
Williams said the intent of the email scam was “to harm our students and alumni”.
“There has been no demand for payment, nor any links in the email that might entrap people. Plain and simple, this was designed to hurt our community and damage the reputation of our University,” he said.
The university says it continues to make improvements to protect against external attacks.
Emily Chate
Emily Chate joined The Western Weekender in 2024, and covers local news – primarily courts and politics. A graduate of the University of Wollongong, Emily has contributed to The Daily Telegraph and worked as a freelance journalist.
Troy Dodds
Troy Dodds is the Weekender’s Managing Editor and Breaking News Reporter. He has more than 20 years experience as a journalist, working with some of Australia’s leading media organisations. In 2023, he was named Editor of the Year at the Mumbrella Publish Awards.
