Cyber Incident Victim: University of Sydney
Date:
Feb 2015
Location:
Australia
Summary
The University of Sydney notified about 5,000 students that their personal information may have been exposed after a breach of the ORSEE application. The breach was discovered following a tip from another institution, leading the security team to disable the system after unauthorized access had occurred.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 2, 2015, the University of Sydney's Information Security Team detected that an unknown party had gained access to the ORSEE database, which hosts the Online Recruitment System for Economic Experiments. The team became aware of a potential vulnerability in the software after receiving a tip from another university on February 6, 2015. Despite the early warning, the compromised system remained active until February 10, 2015, when the security team finally disabled ORSEE to prevent further unauthorized access. The interval between the initial intrusion and the shutdown spanned eight days.

The ORSEE application stored personal information for approximately 5,000 students who had expressed interest in participating in the university's economic experiments. This data included each student's name, contact details, and gender. The breach exposed these fields to the unknown intruder, potentially allowing the information to be copied or misused. On February 12, 2015, Dean Duncan Ivison of the Faculty of Arts and Social Sciences sent an email to the affected students informing them that their personal details might now be in the hands of hackers.
The notification email constituted the primary response action taken by the university to alert those impacted by the incident. By disabling the ORSEE application on February 10, the Information Security Team halted any further access to the compromised database. The university did not publicly disclose additional forensic findings or identify the responsible party in the available reports. The incident concluded with the student notifications and the temporary removal of the vulnerable system from service.
