The University of Sydney has begun notifying former staff, alumni and donors after a cyber breach exposed personal details stored in what the institution described as “historical files” kept inside an online code library used for IT testing.
The university said hackers accessed data relating to nearly 13,000 people, including 7945 staff who were employed on September 4, 2018. The compromised information includes names, dates of birth, phone numbers and home addresses, alongside employment details such as job titles and dates.
A further 5000 alumni and former students were caught up in the incident, along with six donors, drawn from data sets spanning 2010 to 2019.
In an internal message to staff, the university’s vice-president of operations, Nicole Gower, acknowledged the anxiety such incidents provoke. “We understand this news may cause concern, and we sincerely apologise for any distress this may cause,” she wrote. “To our knowledge, the data has not been published.”
The university said it had removed the affected data sets from the code library and reported the incident to multiple agencies, including the NSW Privacy Commissioner, the Tertiary Education Quality and Standards Agency, the National Student Ombudsman, the Australian Cyber Security Centre and ID Support NSW.
On its website, the university said it was working with external specialists and “doing extensive monitoring of the dark web to assess whether any information has been misused”. It added: “We have found no evidence of misuse but will communicate with staff again if we discover any such publication,” and urged caution: “We recommend individuals take proactive steps to protect their information as a precautionary measure.”
The institution also sought to separate the breach from an unrelated administrative error involving the release of incorrect Semester 2 results. “We know this could have caused stress and confusion – support is available for anyone who may need it,” the university said.
For insurance professionals, the episode is another reminder that education-sector incidents can create long-tailed exposure, even where there is no confirmed public leak. The data types involved in this breach — identity details and contact information — are commonly used in impersonation and social engineering, raising the risk of downstream scams against former employees and alumni. For brokers and underwriters, the case underlines the importance of probing how organisations manage non-production repositories such as test environments and code libraries, which can fall outside the strongest controls applied to core systems.
The incident also arrives amid heightened scrutiny of alleged repeat cyber offending in the higher education sector. In a separate case in NSW, police under Strike Force Docker have charged a former Western Sydney University student over an alleged series of cyber hacks dating back to 2021, involving unauthorised access, data exfiltration, system compromise and misuse of university infrastructure. Police allege that after an earlier arrest and charges laid in June, offending continued, including more than 100,000 fraudulent emails sent to students intended to damage the university’s reputation and cause distress. The accused has been charged with additional offences including breach of bail and was refused bail to appear in Parramatta Local Court.
Taken together, the two matters are likely to sharpen insurer attention on the sector’s exposure to credential misuse, weak governance around legacy data, and the potential for reputational harm delivered through mass messaging campaigns. For cyber and management liability placements, the University of Sydney breach will be watched closely for any evidence of misuse and for how quickly affected individuals are supported once notifications begin.
