Hackers accessed an online coding repository belonging to the University of Sydney and stole files containing personal information of staff and students, the university said. The breach was limited to a single system, was detected last week, and the institution blocked the unauthorised access and notified the New South Wales Privacy Commissioner, the Australian Cyber Security Centre and education regulators.
University officials said the code library was principally used for storage and development but also held historical data files. The files affect more than 27,000 individuals: about 10,000 current staff and affiliates employed or affiliated as of 4 September 2018, about 12,500 former staff and affiliates from the same date, and roughly 5,000 students and alumni from datasets dated approximately 2010–2019, plus six supporters.
The university said staff records exposed in the incident include names, dates of birth, phone numbers, home addresses and job details. It confirmed the data was accessed and downloaded but said it had found no evidence that the information had been published online or otherwise misused.
The institution has begun sending personalised notifications to affected individuals and expects to complete notifications by next month. It has established a dedicated cyber-incident support service to provide counselling and support, and published a FAQ page that will be updated as the investigation progresses.
Affected people were advised to remain vigilant for unsolicited communications requesting more information, to change online account passwords and to enable multi-factor authentication where possible. The university previously experienced a separate data breach in September 2023 that involved a third-party service provider.
No details have been provided on the identity of the attacker or the methods used to gain access.