Inside the WSU data breach: the alarming allegations and what businesses need to know.

Western Sydney University (WSU) has recently landed in hot water when two alarming emails were sent to former and current students due to a data breach that occurred earlier in the year. In this article, we’ll break down the contents of the two emails, the allegations against the university and cover how businesses can prevent this from happening to them.

Imagine getting an email from your university stating that your degree has been revoked. All your hard work, the hours and the money you’ve spent.  Mass panic spread among Western Sydney University’s current and former students when seemingly hundreds of people received an email stating their degree had been revoked.

A second email was then sent out to students, which detailed the alleged failures of Western Sydney University’s security practices including allegations that:

• WSU was made aware of cyber vulnerabilities in 2017 and failed to take meaningful action to fix them;
• sensitive data was hacked and stolen from WSU’s eForms system in August, something the university didn’t alert students (its clients) to; and.
• there have been verified instances where a student’s grades were modified without the university’s knowledge, including cases that appear to involve direct database access.

At least one of these allegations was verifiable. In June, ABC reported that a 27-year-old woman was arrested for a series of hacks to WSU over four years; in one case, she changed her grades from a fail to a passing mark. Allegations like this seriously damage the reputation of the University, as well as calling into question the authenticity of students’ hard work and the confidence that employers have in degrees from the university. The University is yet to comment on the allegations in the second email.

What happened?

These emails come just months after a breach in April, where students’ private information ended up on the dark web. Information such as tax file numbers, ID documents, names, student numbers and email addresses were leaked. Western Sydney University has confirmed that this recent incident was not a new data breach, rather, it was fallout from the previous data breach in April.

WSU have stated on social media that in this case, no new data had been stolen. An unauthorised person accessed an automatic email generator and put previously stolen information in it to send out the emails on mass. They claim that they’ve shut down this system, and that the system is now fully contained.

What does this data breach mean for the university and its clients?

While the aim of this breach was likely to tarnish the reputation of the WSU, the other victims are the students and staff this has affected – who are ultimately the university’s clients.

The emotional stress of a data breach, and its consequences can be felt long after it occurs. Data that was stolen in April, was able to be used months later as a way to incite panic and anxiety. This incident has not only destroyed confidence in WSU’s security practices but also called into question the integrity of the grades and degrees being awarded by the university.

What can businesses do to prevent this from happening?

Unfortunately, there have been instances where some businesses have never recovered from a cyber-attack – it’s a scary thought, so prevention is essential to protecting your business. A great way to avoid an attack is to implement an ISO 27001 Information Security Management System Certification. This will not only mitigate risks and tighten up security standards but also cement trust with stakeholders, and show that measures are in place to shield from external and internal factors. It’s the best way to safeguard your organisation, guarantee business continuity, and establish trust with key stakeholders. Preventing a cyberattack can be costly, but not protecting your business will cost you more.

How does ISO 27001 work?

1. Enforcing stringent access controls

ISO 27001 emphasises access control mechanisms, ensuring only authorised personnel have access to sensitive data. This can minimise the chances of a compromise like those seen in the case above.

2. Regular risk assessments

Risk assessments under ISO 27001 identify and evaluate potential vulnerabilities in your information systems and communication processes, so businesses can identify and mend these gaps.

3. Establishing strong communication protocols

ISO 27001 encourages establishing secure communication protocols, including mandatory verification processes for financial transactions.

4. Employee training and awareness

Cyber scam awareness training for employees is a business’ first line of defence. ISO 27001 requires regular training to ensure staff can spot phishing attempts, fraudulent emails, or unusual requests.

5. Securing vendor relationships

Under ISO 27001, businesses are required to carefully vet vendors and ensure third parties comply with data security standards. This is critical to prevent compromised vendor accounts, such as the conveyancer in this case, from becoming a liability.

6. Monitoring and incident response

Should an incident occur, ISO 27001 mandates the establishment of incident response teams to quickly handle any breaches. Monitoring tools, aligned with ISO processes, can detect anomalies and raise flags before damage occurs.

Now is the time to act

The WSU’s data breach, and subsequent fall out, should serve as a wake-up call for executives everywhere. Take cyber security seriously. It could be your system that gets hacked next, with your clients getting an alarming email, or having their data end up on the dark web. Talk to us today about starting your ISO 27001 journey.