You are here

Cyber incident

The University has identified a cyber security incident within our systems.

On 7 December 2023, the University of Wollongong experienced a cyber security incident. The incident was detected and contained rapidly and teams have been working diligently to fully determine the impact.

The University sincerely apologises for any inconvenience to staff and students and wishes to reiterate that the impacted system has been contained and all necessary actions taken to strengthen controls in an effort to prevent similar incidents occurring. Our commitment to data protection and integrity remains a key priority.

The completed investigation has included external experts and, as a result of this investigation, we are able to inform people about the individual impact of the incident on our staff and students.

UOW has partnered with IDCARE, Australia’s national identity and cyber support community service, to provide the most up-to-date support and advice to impacted staff and students. IDCARE’s expert case managers will work with impacted individuals to address concerns about any risk to personal information and any instances where they think information might be misused.

Staff who want to discuss their individual situation further can create a P&C Help Desk Ticket.

Students who want to discuss their individual situation further can contact AskUOW.

Cyber security awareness

See our cyber security awareness page for hints and tips on staying cyber safe.

Awareness and resources
Cyber safety - everyone's business

FAQ

We have conducted an in-depth investigation, and worked to determine what information was potentially involved to enable us to provide appropriate advice and support to all those who may be at risk. 

This process is complex and has taken some time to complete. 

UOW has kept staff and students updated as and when information became available while we were carrying out this investigation. 

We first identified the incident in December 2023 and have been working as a priority to determine what information may have been affected.

UOW has engaged IDCARE to provide the most up-to-date support and advice available to staff and students. IDCARE is a national identity and cyber support service that helps individuals and organisations reduce the harm they experience from the compromise and misuse of their identity information by providing effective response and mitigation. IDCARE’s expert case managers will work with those at risk to address concerns about any risk to personal information and any instances where they think information might be misused. This information has been shared with relevant individuals. If you did not receive the details, please create a P&C Help Desk Ticket for staff or AskUOW for students.

We have implemented new security controls over key cloud-based systems incorporating the latest best-practice techniques. We have also activated additional security monitoring services.

There is a function to report phishing in Outlook when you have the email open. Each report is investigated by the Cyber Security team at IMTS and necessary actions, including the blocking of senders, will be taken.

Staff who want to discuss their individual situation further can contact IDCARE
or create a P&C Help Desk Ticket 

Students who want to discuss their individual situation further can contact AskUOW.

We have not received reports of spam or phishing emails related to this incident. However, organisations across the board are seeing a general rise of phishing emails and we recommend that you stay vigilant by reporting suspicious emails and avoiding clicking on any unknown or suspicious links.

There is a function to report phishing in Outlook when you have the email open. Each report is investigated by the Cyber Security team at IMTS and necessary actions, including the blocking of senders, will be taken.

This is an important reminder to be vigilant with scam emails. Please make sure you check origin email addresses and if you’re unsure, please report it to the IMTS Service Desk on 02 4221 3000 or email the IMTS Cyber Security team at it-security@uow.edu.au.

Personal information FAQs

Individually, full name is a low-risk identity attribute, however in combination with other information (such as address and phone number) scammers engaging you may appear more legitimate.

Recommendations

  • Keep being scam vigilant. You may see an increase in targeted phishing attempts via email, text messaging or telephone calls, where the scammer uses details specific to you (such as your name and date of birth for “verification”).
  • Never click on links in emails or text messages, no matter how legitimate they appear. Do not be pressured to respond, whether it is by email, text message or telephone. If you want to know whether an organisation tried to get in touch with you, contact the organisation yourself using contact details you know are correct.

The physical address will be the one provided to the University of Wollongong.

For most individuals, physical addresses are considered low risk identity attributes. However, in combination with other attributes (such as your full name, date of birth, email address and phone number) scammers engaging you via email, SMS or telephone may appear more legitimate.

Reports of cyber criminals physically attending a person’s address are very low. Most scammers and cybercriminals are not in Australia.

Recommendations

  • Keep being scam vigilant.
  • If you have specific concerns about the exposure of your address details as a survivor of family and domestic violence or due to any other personal reasons, we recommend discussing with IDCARE. If you were impacted, you would have received details.

The phone number will be the one provided to the University of Wollongong. This could be your mobile or a landline/home phone number.

Potential risk is being exposed to spam or scam phone calls, so stay vigilant.

Recommendations

  • Stay super vigilant about scams, particularly telephone and SMS scams. Having some personal information (such as your full name, address, date of birth, or phone number), can make the job of scammers much easier when convincing people about their deception.
  • Do not feel pressured to respond to a call or text message.
  • If you think a call may be legitimate, hang up and call the organisation back using details that you know are correct. 
  • Do not download apps or software (such as AnyDesk or TeamViewer), follow technology instructions, or allow remote access to your device to someone who has called you.
  • Do not click on links in text messages. Instead, contact the organisation using details you know are correct.

The email address accessed will be the University of Wollongong email address.

Potential risks include an increase in email phishing attempts, particularly from scammers claiming to be from the University of Wollongong. These emails may include malicious attachments, links to fake websites, or may try to download malware onto your device. They may encourage you to update or verify your details or to access a reimbursement via a link.

There is also the risk that your email address may be “spoofed” so that it appears to the recipients that the email came from you.

Additionally, there is the potential for extortion attempts, whereby a criminal claims to have access to your information and threatens to release it unless you provide payment. It is important not to comply with such requests, no matter how convincing they may appear.

Recommendations

  • Stay super vigilant about scams and phishing emails.
  • Beware of phishing emails, including those asking to update billing details, pay invoices, or apply for reimbursements.
  • Never click on links in unsolicited or unexpected emails, no matter how legitimate they appear.
  • Do not be pressured to respond to emails. Instead, contact the organisation directly using contact details you know to be correct.
  • Use an up-to-date antivirus application that includes email protection and scanning.

Please refer to your incident notification to determine whether your banking details may have been exposed. The Bank Account details would be those provided to the University of Wollongong.

Although bank and account number do not present a direct financial misuse risk, they identify who the financial institution is, which may make impersonation scam attempts appear more legitimate.

Recommendations

  • Stay super vigilant about scams and phishing emails.
  • You may wish to contact your financial institution to inform them of the breach and seek advice in relation to any additional security measures that may be required.

Although misuse of your superannuation membership number is unlikely, a precautionary approach should be considered.

UniSuper has been informed of this incident. You can review and update your details with UniSuper through their member online portal. Ensure that you have a personal email address recorded. Where possible, direct your multi-factor authentication (MFA) to your mobile rather than email.

For other Superannuation funds, we recommend you contact your superannuation fund to inform them of what has happened and to ensure all profile information is correct. Further, seek their advice as to whether any additional security measures may be required.

Please look out for suspicious or fraudulent activity and any notifications which seem out of place. If you notice unusual activity or any notifications which seem odd or suspicious, please do log a ticket via the IT Service Desk or report directly via your Outlook software.

For information on how to stay safe and protect yourself online, visit the Australian Government’s Stay Smart Online website:

More information FAQs

Staff who want to discuss their individual situation further can contact IDCARE. You would have received details via email,
or create a P&C Help Desk Ticket 

Students who want to discuss their individual situation further can contact AskUOW.

This is an important reminder to be vigilant with scam emails. Please make sure you check origin email addresses and if you’re unsure, please report it to the IMTS Service Desk on 02 4221 3000 or email the IMTS Cyber Security team at it-security@uow.edu.au.  

To learn about how you can protect yourself from common email threats, please read our Email Security Threats – Examples article.  

Students can call or text our free UOW Student Wellbeing Support Line any time, all year round. Call 1300 036 149 or text 0488 884 164.

Staff can contact UOW’s Employee Assistance Program (EAP) provider, TELUS Health is a professional and confidential counselling service that is offered to UOW employees and members of their immediate family for both personal and work-related issues. To arrange a consultation with a counsellor, please call 1300 361 008. After hours consultations are available upon request.

You can lodge a complaint to UOW's Complaints Management Centre.

You are welcome to raise a formal request for a review of UOW's conduct in the handling of your personal information by completing the form and submit to UOW's Information Compliance Unit at icu-enquiry@uow.edu.au. You also have a right to make a complaint to the NSW Information Privacy Commissioner in relation to this matter.

The Privacy Commissioner may be contacted as follows:
Freecall: 1800 472 679
Email: ipcinfo@ipc.nsw.gov.au
Website: www.ipc.nsw.gov.au

Give feedback or make a formal complaint

The University always welcomes feedback. To provide feedback, visit UOW Feedback.

Further questions

Staff who want to discuss their individual situation further can create a P&C Help Desk Ticket.

Students who want to discuss their individual situation further can contact AskUOW.

First published: Friday 08 December, 2023 | Last updated: Wednesday 24 January, 2024