Article Details

Sydney Uni data goes walkabout after criminals raid code repo. Attackers helped themselves to historical personal info on 27K people. The University of Sydney is ringing around thousands of current and former staff and students after admitting attackers helped themselves to historical personal data stashed inside one of its online code repositories. In a message published on December 18, the vice president of operations at the University of Sydney, Nicole Gower, said the university was alerted last week to "suspicious activity in one of our online IT code libraries." She said this had triggered an emergency lockdown of the system. While the repository was meant for software development, Gower acknowledged that "there were also historical data files in this code library containing personal information about some members of our community." The university was quick to stress that the incident was unrelated to a separate student results issue reported a day earlier and said there is currently no sign that the data has been misused. According to an accompanying FAQ, the compromised system contained historical data extracts used for testing during earlier development work, rather than live production databases. Officials said the unauthorized access was limited to a single platform and that other university systems were not affected. Even so, the files were accessed and downloaded, and the university has brought in external cybersecurity partners while notifying government authorities as the investigation continues into the new year. The university estimates that the accessed data includes personal information for approximately 10,000 current staff and affiliates and around 12,500 former staff and affiliates active as of September 4, 2018. On top of that, historical datasets spanning 2010 to 2019 include records linked to roughly 5,000 alumni and students, as well as six supporters. For staff linked to one of the retired systems involved in the incident, the exposed information may include names, dates of birth, phone numbers, home addresses, and basic employment details such as job titles and dates of employment. Gower confirmed that "the data has been accessed and downloaded," while insisting there is "no evidence it has been used or published." The University of Sydney said it began sending notifications to affected individuals on December 18, though it warned that the process will drag into January 2026 as it finishes reviewing the files and checking contact details. The institution says it has purged the identified datasets from the code library and is assessing further remediation under its Privacy Resilience Program.  While the university maintains there is no evidence of harm so far, the episode is another reminder of how long-forgotten data can come back to bite.