The University of Sydney has confirmed a cyberattack that exposed personal information for approximately 27,000 people stored in a historical code library used for testing and development. The university said hackers accessed archived files containing names, dates of birth, phone numbers, home addresses, employment details, and other personal information of current and former staff, alumni, and a small number of donors. The breach was identified after the university detected suspicious activity in the online code repository and took immediate action to block access and remove the affected files.
Nicole Gower, vice-president of operations, informed staff in an internal message that the compromised data included records for some 10,000 current and 12,000 former staff and affiliates, about 5,000 alumni, and six donors. The university said it was unaware of any misuse or publication of the data and was conducting extensive monitoring to assess whether any of the information had appeared on external systems. It also said that notification of all affected individuals is ongoing and expected to continue into the following month.
The University of Sydney said it had purged the exposed data from the code library and reported the incident to relevant authorities, including state and federal privacy regulators and cybersecurity bodies. It encouraged those affected to take precautionary steps to protect their personal information. A university statement acknowledged that the breach may cause concern and offered support services for those affected.
The attack targeted historical records that were not part of live administrative systems and were primarily used for testing purposes, according to the university’s communication to staff. The institution said it isolated the vulnerable system as soon as it was alerted to unusual activity, and that it is now working with cybersecurity partners to strengthen monitoring and prevent further incidents.
The University of Sydney’s confirmation of the breach distinguishes this incident from unrelated processing errors that occurred at the same time, including an email distribution error in which some students received incorrect semester results. The university clarified that the exam result issue did not involve other students’ personal data and was a separate operational problem.
University campuses and research institutions in Australia and internationally have been targeted in previous cyberattacks due to the volume and sensitivity of the data they store and share. The University of Sydney breach is among the most recent examples of educational institutions addressing vulnerabilities in legacy systems and archived repositories.