Cyber Incident Victim: University of Sydney

On February 12, 2015, Duncan Ivison, Dean of the Faculty of Arts and Social Sciences at the University of Sydney, notified approximately 5,000 students that their personal information had been exposed due to a cybersecurity breach. The incident involved unauthorized access to the ORSEE (Online Recruitment System for Economic Experiments) application, which stored student names, contact details, and gender information. The breach occurred on February 2 when an unknown party exploited a vulnerability in the system. Many affected students had applied to participate in the university's economic experiments through this platform. The University’s Information Security Team first became aware of the software vulnerability on February 6 after receiving a tip from another university. Despite this alert, the team did not immediately disable the compromised ORSEE system.

The ORSEE application remained operational for eight days following the initial intrusion until the Information Security Team finally disabled it on February 10. This delay left student data exposed for over a week after the breach was first detected through external notification. The university initiated direct email notifications to impacted students two days after system shutdown, confirming the exposure of their personal details but providing no evidence of misuse. The incident exclusively affected participants registered in the Faculty of Arts and Social Sciences' research program, with no broader university systems reported as compromised. No technical details about the attack methodology or identity of the threat actor were disclosed in the notification.