Western Sydney University (WSU) disclosed a data breach in May 2023 involving unauthorized access to its Microsoft 365 email environment and SharePoint files from approximately January 2023. Approximately 7,500 individuals were affected in the initial 2023 breach. A subsequent and more significant breach was disclosed in May 2024 involving WSU’s Isilon storage platform and Student Management System — affecting approximately 10,000 current and former students and staff. Exposed data included names, addresses, email addresses, phone numbers, dates of birth, student enrollment details, health information, and in some cases financial information. WSU reported both breaches to the OAIC under Australia’s Mandatory Data Breach scheme. The Australian Cyber Security Centre (ACSC) assisted with the response. WSU established a dedicated breach support service for affected individuals. The breach was part of a broader pattern of Australian university cyber incidents in 2023-2024. A formal OAIC investigation was commenced. WSU subsequently invested significantly in cybersecurity uplift including enhanced identity and access management, privileged access controls, and 24/7 security monitoring. The case highlighted the particular vulnerability of university environments — with large numbers of users, diverse IT systems, and high volumes of sensitive student personal and health data — to credential-based attacks.