The University of Sydney confirmed a significant cyber incident on December 18, 2025, revealing unauthorized access to a third-party online IT code library that compromised historical personal data of more than 27,000 students, staff, alumni, and supporters. Attackers exploited a single development system, extracting sensitive details like names, addresses, and employment info from datasets spanning 2010-2019, but no financial data was involved.
Breach Timeline and Scope
Detection occurred last week, with immediate containment isolating the affected repository from broader university systems. Impacted records primarily date to before September 4, 2018, affecting roughly 10,000 current/former staff, 12,500 affiliates, and 5,000 students/alumni. No evidence of data publication or misuse has surfaced yet, though investigations continue with cyber partners.
Technical Details
Hackers gained access to unencrypted files in the code library, including dates of birth, phone numbers, home addresses, and job titles.The breach stemmed from a third-party development environment vulnerability, not core university infrastructure, highlighting supply chain risks in academic IT ecosystems.Authorities including the Australian Cyber Security Centre and NSW Privacy Commissioner were notified promptly.
University Mitigation Steps
Access was revoked, datasets deleted from the repository, and personalized notifications rolled out starting December 18, aiming for January 2026 completion. A dedicated support portal, FAQ page, and counseling resources stand ready for affected individuals.Ongoing monitoring scans dark web and threat feeds for leaked data.
Actionable Advice for Affected Parties
- Monitor personal and financial accounts for phishing or unauthorized activity.
- Update passwords and enable multi-factor authentication across services.
- Contact IDCARE (1800 595 160) or ID Support NSW (1800 001 040) for identity protection guidance.
- Report suspicions to university cyber team or local police; avoid public sharing of details.
Vulnerability managers scanning Australian education sectors should prioritize third-party code repo audits, enforcing least-privilege access and encryption for legacy datasets—key lessons from this incident amid rising targeted attacks on universities.
