Cyber Incident Victim: University of Western Australia
Date:
Jul 2022
Location:
Australia
Summary
The University of Western Australia experienced a data breach involving unauthorized access to its Callista student information management system, potentially compromising personal details of current and former students. Exposed information included names, residential addresses, phone numbers, email addresses, course details, photographs, and emergency contact details, though financial data, medical records, and passport information were not stored in the affected system. The institution notified impacted individuals, initiated an investigation, and reported the incident to law enforcement authorities, urging vigilance against suspicious activity. The breach occurred following a similar security incident affecting another Western Australian organization's email service provider.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around July 1, 2022, the University of Western Australia (UWA) disclosed a data breach involving unauthorized access to its Callista student information management system. The university detected unauthorized login activity to Callista, which is utilized by multiple Australian educational institutions including Monash University and Edith Cowan University. UWA’s vice-chancellor Amit Chakma confirmed the incident in a formal notification to students and alumni, characterizing it as a "random attack" with an ongoing investigation. The breach exposed personal information of current and former students, including names, residential addresses, phone numbers, email addresses, course enrollment details, and student identification photos. Emergency contact details stored in the system were also compromised, potentially affecting individuals beyond the student body. UWA reported the incident to the Western Australian Police for criminal investigation but did not specify the exact timeframe of the unauthorized access or the method of intrusion.
The compromised data did not include financial, medical, or government-issued identifiers such as credit card details, tax file numbers, passports, bank information, or medical records, as these were not stored in Callista. The university advised affected individuals to remain vigilant about data storage practices and to monitor for suspicious activity, though it did not confirm the number of impacted parties or whether data was exfiltrated. Concurrent investigations focused on determining the full scope of accessed records and the attacker’s objectives. The breach notification occurred one week after a separate, unrelated incident involving the Western Australian Arts and Culture Trust’s email provider, though no operational or threat actor link between the two events was asserted. UWA’s response emphasized containment of the breach and collaboration with law enforcement, without disclosing remediation steps or system security enhancements implemented post-incident.