Cyber incident
On 28 February 2025, we wrote to affected users to inform them about a cyber security incident that occurred on 24 February, affecting the Australian New Zealand Clinical Trials Registry (ANZCTR) and the Australian Cancer Trials websites.
There is no ongoing threat to University systems and no identifiable health data has been compromised. We do, however, recommend affected parties take immediate action by changing their passwords and remain alert to phishing attacks, in order to minimise the risk of any further harm.
Upon identifying this incident, the University acted swiftly to secure our systems, and the affected websites are currently inactive. There is no impact on University systems, and we are working to restore the websites as quickly as possible.
What users need to do
Our investigations indicate that data including the names, phone/fax numbers, email addresses and institutions associated with trials and those institutions’ addresses have been impacted. Investigations are also showing that the passwords used for the ANZCTR website have been impacted. Affected parties will be required to change their password when the website is securely reactivated, and if they use the same password to log in to any other websites or applications, we strongly encourage them to change it to protect their data security.
In the meantime, we encourage affected parties to take the following precautions to reduce the risk of information being misused:
- Be vigilant: Monitor your personal and financial accounts for any suspicious activity and be alert to phishing attacks, including those that appear to be from trusted sources. Phishing attacks are becoming increasingly sophisticated and can seem very credible.
- Change passwords: Update your passwords for all accounts and use multi-factor authentication where possible. Avoid reusing passwords across different accounts.
- Report: If you suspect any misuse of your information, report it to your cyber security team immediately.
What occurred
Based on our current investigations, we understand that data on these websites was compromised on the morning of 24 February. The University promptly took down the websites to prevent further harm. On 27 February, our forensic investigations identified the impacted user data, and we immediately took steps to contact all affected parties to enable them to be vigilant, change their passwords, and be alert to phishing attacks.
We apologise to those affected by this incident. We are working with all relevant parties to manage this situation and protect everyone involved. We have also undertaken notification activities to relevant authorities.
We will update our website with further information as it becomes available. If you would like to make a privacy complaint, please contact privacy.enquiries@sydney.edu.au. You may also have the right to make a complaint or seek a review of certain conduct by the University in connection with this issue. More information about external complaints and reviews is available on the NSW Information and Privacy Commissioner website.
Questions and answers
The key action you need to take is to reset your password information. If you have reused the password for other websites or applications, we strongly encourage you to change it. This password has been compromised and must not be reused.
Limited personal information has been impacted for trial administrators and contacts:
- Name
- Phone and fax number
- Association with research institution,
- Corporate or personal email addresses
- Address (associated to the research institution)
- Account password
Actions you can take to protect yourself are:
- Change your passwords: Update your passwords, particularly if you have reused passwords or used similar passwords to the compromised password. Do not reuse passwords and use a password management tool.
- Be alert to any phishing attempts: Be vigilant with email and alert to any suspicious emails or messages.
- Escalate if you have concerns: If you notice suspicious or concerning activity, report this to your organisation.
- Look for warning signs: If you receive text messages saying your password has been changed for a particular website or application, and you have not updated this password yourself, this could be a sign that the relevant account has been compromised. If this occurs, talk to your organiser or service provider for this account as soon as possible.
- Software and operating system upgrades: For the best security protection, make sure all your software and operating systems are upgraded to the latest versions.
- If you suspect your email account has been signed up to services you do not want: Go to https://justdeleteme.xyz/. Follow the instructions to disconnect your account from a range of services.
- To monitor whether your email address has been compromised in a data breach: Go to https://haveibeenpwned.com/. This site monitors the dark web to track where email addresses have been compromised. Using this site helps you to identify where your credentials may have been compromised, and where you should prioritise changing passwords.
When it became aware of the incident, the University immediately took down the websites to prevent the risk of further harm.
Affected parties have been notified and advised to reset passwords and to follow cyber safety advice as above as a precautionary measure.
If you would like to make a privacy complaint, please contact privacy.enquiries@sydney.edu.au.
The issue was isolated to a single platform operated by the University and had no impact on other University systems.
The University is enhancing the cyber security measures on the affected system to provide greater protection against similar incidents in the future.
This incident impacted all account holders on the clinical trial registry.
The University is working to notify all relevant parties.
We have notified the Australian Cybersecurity Centre (ACSC), the NSW Privacy Commissioner and communicated with other relevant regulatory authorities.
Last updated: 31/8/23 at 3pm
First published: 31/8/23