Western Sydney University (WSU) has reported a widespread email scam affecting both current students and alumni, prompting renewed attention to cyber risk management within the education sector and among insurers.
According to 9News, the incident involved multiple fraudulent emails sent from compromised accounts, falsely claiming that recipients’ degrees had been revoked and that they were permanently barred from further study at the institution.
One of the emails, viewed by several recipients, stated: “We regret to inform you that, following a thorough review, the decision has been made to permanently exclude you from any further study at Western Sydney University. As a result, any existing certificates or awards previously issued to you are hereby revoked.”
The message further indicated that enrolments would be cancelled and access to university systems would be terminated.
In addition to the degree revocation claims, some students received a separate message from an address labelled “Parking Permits.”
This email alleged that a student had exploited system weaknesses to create a fraudulent parking permit and gain access to university email addresses.
The message described the event as evidence of “fundamental security weaknesses” within WSU’s digital infrastructure.
The university has not confirmed how many individuals were affected or whether sensitive data beyond email addresses was accessed.
However, recipients noted that the fraudulent messages included accurate personal details, such as student numbers and official university links, raising concerns about the potential for further misuse of personal information.
The incident has caused distress among some students and graduates, with reports of anxiety and uncertainty about the status of their academic records.
One affected individual told 9News: “The email said they were revoking my degree, which would have put my entire academic and teaching career in jeopardy. This email has caused immense undue stress and panic.”
Western Sydney University acknowledged the incident and clarified that the emails were not authentic.
“Western Sydney University is aware of fraudulent emails sent to students and graduates, with some falsely claiming that they have been excluded from the university or that their qualifications have been revoked,” the university said in a statement. “Please be assured these emails are not legitimate. The university has not issued any such notices, and your enrolment and/or awards remain unaffected.”
NSW Police have confirmed that the incident is under investigation by the Cybercrime Squad.
“Cybercrime Squad detectives are investigating an alleged data breach involving Western Sydney University. Anyone who believes their details may have been compromised is urged to contact ReportCyber,” the police said in a statement, as reported by 9News.
This event follows a previous data breach at WSU earlier in the year, in which the personal data of approximately 10,000 students was exposed online. That incident resulted in criminal charges against a former student.
