Callista – security vulnerability

On 28 May 2026, UWA IT identified an incidence of unauthorised external access to the Callista database, the University’s Student Information Management System. System access credentials were unintentionally exposed online, creating the pathway for potential unauthorised access.

UWA IT immediately took steps to secure the system and removed the vulnerability.

We believe personal data belonging to some prospective students, some current students, and some recent graduates were exposed, including:

• Name
• UWA Student ID
• UWA Staff ID (if applicable)
• Home and mobile phone number
• Date of birth (day and month only)
• Personal email address
• Postcode
• Enrolment status as at 2 April 2026

We confirm no other information or documents including financial details were accessed, compromised or involved in this incident.  

UWA IT immediately took steps to secure the system and has removed the vulnerability. 

Individuals whose above information may have been accessed have been notified directly via email and advised of recommended digital security measures.

IT acted immediately to secure the system and investigate the impact on access to information. This required detailed validation of historical system records and access. This investigation showed no evidence of data misuse or malicious activity that would trigger mandatory reporting requirements to regulatory authorities.

The decision to notify impacted individuals was carefully considered, particularly during the current student exam period, however the prompt notification to impacted individuals as soon as the validation took place, reflects UWA's commitment to transparency, the protection of personal information and enabling individuals to take informed steps to safeguard themselves.

Maintain a high level of vigilance across your online communications and transactions, to protect your information and reduce the risk of potential phishing scams:

• Use strong passwords across all your online personal services and update them on a regular basis and activate multi-factor authentication, where available. 
• Remain alert to phishing scams via suspicious emails, SMS messages, or phone calls that appear to come from a trusted source.
• Do not click on links that appear suspicious. Verify any communications you receive to ensure they are legitimate.
• Be cautious of unexpected communications via email or phone referencing your enrolment, account or personal details.

UWA password resets are not required. These remain secure due to multi-factor authentication already in place. 

There is no evidence that currently suggests personal information has been altered, shared or misused.

There may be an increased risk of scams or targeted phishing attempts using this information, so you should remain alert to suspicious activity, emails or phone calls. Be cautious of any communication referencing your enrolment, course or personal details.

We have reached out directly via email on Monday 8 June to everyone who has been impacted by this incident. If you have not received an email (check your junk mail to be sure) then your personal data has not been involved.

The University is legally required to retain student records for a designated period following completion or discontinuation of their study to facilitate processing should they decide to alter their enrolment status. For these reasons the University cannot remove or change your record during this period. 

The University has directly contacted anyone whose data may have been accessed.While the assessed risk is low, and there is no evidence information has been shared or used maliciously, we recommend you have heightened vigilance over your personal digital security as a precaution.

The University takes information security seriously and is continually working to improve the systems and processes which protect its information and to develop staff awareness of information security and cyber risks. Following this incident, a review will be carried out to determine how to further strengthen the University’s cyber defences and processes in response to this incident. 

This incident does not affect any digital systems used for online learning, so online studies can continue as per usual. No other university-wide learning or teaching systems have been affected so classes and study can continue as usual.

It is not possible to say if they are related. However, you should practice safe cyber behaviours, set up multi-factor authentication, reset passwords on a regular basis, block senders you don’t recognise and remain vigilant for scams.

If students require wellbeing support, they can visit The Living Room at Reid Library (between 11am and 4pm) without an appointment, or access specialist confidential support.

For more information students can email  AskUWA. 

Alumni can contact UWA via [email protected]