University of Sydney discloses a data breach impacting 27,000 people

Hackers stole personal data of about 27,500 people from the University of Sydney after accessing an online code library, the university confirmed.

The University of Sydney disclosed a data breach in which threat actors accessed an online code library and stole personal information linked to about 27,500 individuals, including current and former staff, affiliates, students, and alumni.

In response to the security breach, the university took immediate action to protect its systems and community by blocking the unauthorized access and securing the affected environment. The compromised repository was primarily used for code storage and development, but the breach notification confirmed that it also contained historical data files.

Exposed files included personal information of about 10,000 current staff, 12,500 former staff, and roughly 5,000 alumni and students, mostly dating from 2010–2019.

“The unauthorised access includes a historical data file from a retired system containing personal information about staff employed at the University on 4 September 2018. This information includes the name, date of birth, phone number and home address of those staff as well as some basic job information (e.g. job title and employment dates).” reads the data breach notification published by the University of Sydney. “While the data has been accessed and downloaded, there is currently no evidence it has been used or published. We are actively monitoring for any signs of use or publication and, should this occur, we will update you immediately.”

The university pointed out that the incident is unrelated to the recent student results issue.

The institution confirmed that although attackers accessed and downloaded the data, there is no evidence so far that it has been misused or made public. It added that it is closely monitoring the situation and will promptly inform affected individuals if any signs of use or publication emerge.

The University of Sydney reported the breach to authorities and is working with cybersecurity partners to investigate the incident and assess its full impact.

“We are carefully working through the data to identify all members of our community who are affected, so we can inform them and provide appropriate support. Notifications to impacted individuals will commence today, aiming to be completed in January 2026 when we estimate the full assessment of file reviews will be completed and we have contact details for all impacted individuals.” concludes the notification. “We have provided general advice on the precautions people can take to lower the risk of their accessed data being misused below.”

In September 2023, the University of Sydney (USYD) announced that a data breach suffered by a third-party service provider exposed the personal information of recently applied and enrolled international applicants.

The University immediately launched an investigation into the incident and determined that only a limited number of recently applied and enrolled international applicants had their personal data compromised. The University did not share details about the exposed data or the type of attack that hit the third-party service.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, University of Sydney)