Last week, we were alerted to suspicious activity in one of our online IT code libraries. We took immediate action to protect our systems and community by blocking the unauthorised access and securing the environment.

The code library is used for code storage and development. A number of data files containing personal information were also located in the code library. We believe these are historical extracts primarily used for testing purposes at the time the code was developed.

Historical data files in this code library contained personal information about some members of our community. To our knowledge, the data accessed has not been used or published.

We have notified relevant government authorities and are working with our cyber security partners to fully understand the scope of the situation. An investigation is underway and, given its complexity, we expect this process to continue into the new year. At this stage, the unauthorised access was limited to a single platform and did not affect other University systems.

We are carefully working through the data to identify all affected members of our community so we can inform them as soon as possible and provide appropriate support.

Notifications to affected individuals commenced on 18 December 2025. We aim to complete notifications in January 2026 when we estimate the full assessment of file reviews will be completed and we have contact details for all impacted individuals.

Our current investigations indicate the accessed data includes:

• personal information of around 10,000 current staff and affiliates, that were employed or affiliated as at 4 September 2018
• personal information of around 12,500 former staff and affiliates, that were employed or affiliated as at 4 September 2018
• a series of historical data sets predominantly from 2010-2019 containing personal information of around 5000 alumni and students, as well as six supporters.

We have provided general advice on the precautions people can take to lower the risk of their accessed data being misused below.

As part of a cyber incident, several historical data files containing personal information have been accessed but, to our knowledge, have not been published. We are actively monitoring for any signs of publication or dissemination of this information and will continue to do so. If we discover any such publication, we will contact staff again as an immediate priority.

Our current investigations indicate the accessed data includes:

• Personal information of staff employed as at 4 September 2018
• A series of historical data sets predominantly from 2010-2019 containing personal information of around 5000 alumni and students, as well as six supporters.

No. The University has been working with our cyber security partners doing extensive monitoring of the dark web to assess whether any information has been misused. We have found no evidence of misuse but will communicate with staff again if we discover any such publication. We recommend individuals take proactive steps to protect their information as a precautionary measure.

General advice on the precautions people can take to lower the risk of their accessed data being misused includes:

• Be vigilant: Monitor your online activities, observe personal, financial, and University accounts for any unusual or suspicious activity. Be alert to phishing emails or calls that may appear to come from trusted sources that request personal information.
• Change passwords: Change your passwords for your online accounts and always use multi-factor authentication where you can
• Report: If you suspect your information is being misused, report it to local law enforcement and the University Cyber Security Team immediately.
• Tell your family and friends: Please let your family and friends know about this incident. Tell them to contact you directly if they have any suspicions that your personal information is being misused or someone is pretending to be you.
• Don’t share on social media: To avoid scammers, we recommend you don’t share this notice on social media.
• Verify incoming messages and texts: Make sure messages are coming from a trusted source before you respond to them.
• Find out more about the University’s approach to cyber security.

As soon as we became aware of the cyber incident, we acted by:

• blocking the unauthorised access to the online code library
• commencing an investigation to understand the scope of the issue and identify those who were affected
• implementing our cyber security procedures to ensure heightened security of other University systems
• purging the identified datasets from the code library
• contacting relevant authorities, including the NSW Privacy Commissioner, Australian Cyber Security Centre, the Tertiary Education Quality and Standards Agency, the National Student Ombudsman, and ID Support NSW
• continuing to work with our cyber security partners to actively identify if any of the data has been disclosed online.

We take our cyber security responsibilities seriously and have engaged expert partners to assist with incident response. Over the past three years, we have implemented an extensive program to review and strengthen our data management practices. We continue to enhance these processes to protect against similar incidents, with work ongoing under the Privacy Resilience Program. The identified datasets have been purged from the code library, and we are now investigating what further actions are necessary to ensure ongoing best practice.

We apologise that this incident occurred and for the distress caused to those affected. We take cyber security very seriously, and have taken immediate action to reduce the impact of this incident and to prevent incidents like this occurring in future.

Support options are available and featured at the top of this page, please don’t hesitate to access them if you need.

We have informed relevant authorities including the NSW Privacy Commissioner, Australian Cyber Security Centre, the Tertiary Education Quality and Standards Agency, the National Student Ombudsman, and ID Support NSW about the cyber security incident.

No. This is an entirely unrelated matter.