By Cameron Houston and Kieran Rooney
Witnesses whose sensitive testimonies about sexual abuse or underworld figures could be leaked online after a hack of the Victorian court archive system are unable to apply for compensation through the state’s privacy watchdog.
It has also emerged that the Supreme Court announced plans to outsource its IT department, including its entire cybersecurity team, at the same time as Court Services Victoria’s system fell victim to the major hack.
Documents obtained by this masthead reveal a Supreme Court proposal to make 12 IT workers redundant – including the IT incident manager, infrastructure and IT security manager, and IT and digital support manager – because of “ongoing cost pressures and rapid advances in technology”.
Under Victorian law, members of the public can make complaints to Privacy and Data Protection Deputy Commissioner Rachel Dixon when their information held by government agencies is breached. They can pursue compensation or further action regardless of whether the breach was from a cyberattack or an accidental release of data.
But the state’s court system is exempt from this legislation, meaning Dixon does not have powers to act over a court-related breach or to receive complaints from those affected, as she can do with other areas of government.
Following media inquiries on Tuesday, Court Services Victoria revealed that hackers had gained access to a part of the court system archives that included video recordings provided under witness protection and at trials protected by suppression orders.
The compromised records include key evidence from a murder trial in the Supreme Court involving a Melbourne underworld figure that is the subject of a strict suppression order, along with the confidential testimony of several witnesses in sexual assault cases in the County Court.
The Office of the Victorian Information Commissioner, which Dixon’s position sits within, plays a leading role in protecting data held by government agencies. Its powers include enforcement action, collecting data on breaches and a requirement that organisations regularly provide it with detailed security plans.
Under Victoria’s data protection laws, organisations must take “reasonable steps” to protect personal information from misuse and loss. This definition can depend on the size and sensitivity of the information being collected.
But the Privacy and Data Protection Act 2014, which gives Dixon her powers to enforce the standards, specifically excludes information related to judicial or quasi-judicial functions by a court or tribunal or its officers and staff. It has not yet been tested whether the data standards spelt out in legislation could be enforced in relation to the court system through other means.
Court Services Victoria chief executive Louise Anderson said the statutory body discovered the breach of the audio-visual archive on December 21.
“Recordings of some hearings in courts and tribunals between November 1 and December 21 may have been accessed,” Anderson said in a statement. She also conceded some hearings before November could have been hacked but said potential access was confined to recordings stored on the CSV network.
“We understand this will be unsettling for those who have been part of a hearing,” she said.
A CSV spokeswoman said the proposed changes to the Supreme Court’s IT department were in a consultation period and no decision had been made.
“This process is unrelated to the cyber incident that Court Services Victoria has been managing since 21 December. Supreme Court of Victoria IT infrastructure was not impacted by this incident,” she said.
A document released by the Supreme Court in November revealed it was planning to make the outsourcing change.
“The change proposed is to outsource the support for the Supreme Court of Victoria’s two generic and least complex technology environments, the desktop environment and the infrastructure and security environment, to a third-party provider that already provides related services to Court Services Victoria (CSV),” the document said.
But as the document was being released, cybercriminals had already breached the CSV system, which manages only audio-visual recordings for all courts, including the Supreme Court.
The contentious outsourcing plan is proposed to be implemented on February 26 after consultation with staff and the Community and Public Sector Union.
A union spokesman described the outsourcing plan as a “shortsighted and deceitful plan to cut vital jobs and privatise a sensitive service that protects so much personal court information”.
CSV confirmed that Supreme Court hearings recorded between December 1 and 21 may have been accessed by the hackers.
It said it took immediate action to disable the network and notify the relevant authorities, but it took time to establish which recordings and transcripts were affected – which is why it kept the news of the hack from the public.
CSV said it would begin notifying people whose hearings might have been accessed. A plaintiff involved in two Supreme Court hearings from December received correspondence on Tuesday from CSV informing them of the security breach.
“Court Services Victoria has identified a cybersecurity incident where malicious software was used to access the audiovisual in-court technology network ... we are not able to identify what recordings were accessed before the system was disabled,” the CSV correspondence said.
CSV informed the plaintiff, who asked not to be identified, that it had measures in place to detect attempts to use the recordings inappropriately.
Cybersecurity specialists said they suspected the CSV hack was probably the work of Russian ransomware group Qilin or one of its affiliates.
Attacks by Qilin typically involve the use of phishing emails with malicious links to gain access to targets, followed by the encryption and theft of sensitive data.
“The Qilin ransomware gang might be Russian-based, but that does not mean it is Russian [government] controlled,” cybersecurity research group Cyberknow said in a statement.
“This is very likely an opportunistic attack by financially motivated operators and not targeting the Victorian government for any state objectives.”
Data collected by the Office of the Victorian Information Commissioner shows that during the first half of 2023 there were 283 incidents in which data breaches were reported by government agencies or organisations with public sector information. Of these, 233 were accidental and 40 were described as intentional or malicious.
An August report from the Victorian Auditor-General’s Office said 90 per cent of government agencies were targeted in cyberattacks in 2022. It called on the government to adopt stronger measures including wider use of 24/7 security services.
The state government announced a five-year cyber strategy in 2021, and in the 2023-24 budget committed $34.7 million to improvements, including a centralised Cyber Defence Centre that helps to identify and stop attacks.
“The Cyber Defence Centre operates 24 hours a day, seven days a week – providing departments and agencies with critical support when they are responding to cyber incidents,” a government spokesman said. “Our cyber security experts provide technical support and assist with forensic investigations as well as threat intelligence and monitoring.”
Figures from the Australian Cyber Security Centre show a new cybercrime is reported in Victoria every 40 minutes.
Get alerts on significant breaking news as happens. Sign up for our Breaking News Alert.