University of Sydney reports data breach affecting over 20,000 staff, affiliates

The University of Sydney disclosed a data breach that exposed personal data on tens of thousands of staff, students and alumni after hackers accessed one of its internal code libraries.

The university said it detected the incident last week in an online code repository used by its IT teams and quickly secured the system. While the platform was primarily used for software development, it also contained historical data from a retired system with names, dates of birth, phone numbers, home addresses and job-related details for employees at the university as of September 2018.

There is so far no evidence the data has been misused or published, according to Vice-President Nicole Gower.

“We are actively monitoring for any signs of use or publication and, should this occur, we will update you immediately,” he said.

An internal investigation is ongoing and is expected to continue into the new year. The university has also notified relevant government authorities. Officials said the breach was limited to a single platform and did not affect other university systems. The identity of the hackers remains unknown.

Preliminary findings indicate the compromised data includes personal information on around 20,500 current and former staff and affiliates, as well as historical datasets from 2010–2019 containing information on about 5,000 students and alumni, and six university supporters.

The University of Sydney is one of Australia’s oldest public research institutions, with more than 70,000 students and roughly 8,000 staff. It previously reported a cyber incident in 2023 involving a third-party service provider that exposed data on recently enrolled international applicants.