Western Sydney University has revealed that attackers had access to its Isilon storage infrastructure and 580TB of data for over eight months.
The university said that the attackers accessed “83 of the 400 directories in Isilon” and with that, a trove of personally identifiable and sensitive information.
Isilon is a network-attached storage system that was once made by a company of the same name, before being bought by EMC, which in turn was bought by Dell.
The university said the Isilon storage infrastructure “holds My Documents information, departmental shared folders, and some backup and archived data.”
"Students and staff have access to their own My Documents, which includes My Documents, Desktop data, downloads, favourites and web history etc," it said in an FAQ.
"The My Documents folders are located on our centralised network storage, which means an individual can access their My Documents on any computer within the Western network."
Investigations so far show that unauthorised access to Isilon "occurred between July 9 2023 and March 16 2024".
“Our initial review of Isilon has found personally identifiable information (PII) was accessed, including names, contact details, dates of birth, health information, sensitive information relating to workplace conduct and health and safety matters, government identification documents, tax file numbers, superannuation details and bank account information," the university said.
“The university has not detected any further unauthorised access to Isilon since remediation work took place on March 16.”
It added that it had received no threats to disclose or publish the data and had not seen it leaked onto the dark web.
The university’s security problems stem from an initial breach of its Microsoft 365 environment in May last year.
It said there is “no evidence” of attacker access beyond the “Microsoft Office 365 and Isilon environments" but did not explain how lateral movement occurred.
A number of federal and state authorities are involved in investigations, with NSW Police Force’s Cybercrime Squad conducting an investigation under Strike Force GIRRAKOOL.
The university said it would “endeavour” to notify all individuals impacted by the Isilon breach but said it may not be able to identify everyone.
