Clive Palmer’s political parties hacked in major breach
By Nick Newling
Clive Palmer’s political party has been hacked in an attack the organisation fears has led to the theft of its emails, documents, and electronic records, threatening the personal data of all those who have been in contact with it online.
In a statement published to the United Australia Party and Trumpet of Patriots websites on Thursday, the parties revealed that on June 23 there had been “unauthorised access to our servers resulting in access to, and the possible exfiltration of, certain data records”.
Clive Palmer after the election campaign launch of his Trumpet of Patriots party in April.Credit: Getty Images
According to the parties’ statement, the leak may “potentially include all emails to and from the political parties (including their attachments) and documents and records created and or held electronically by the political parties at any time in the past.”
The hack is another blow to a political organisation that failed to have any MPs or senators elected in May despite its mining magnate founder widely believed to have spent tens of millions on advertising after the 2022 contest when his $100 million outlay only won one senate seat.
The Palmer parties also said the personal information of people who had communicated with them, including email addresses, phone numbers, banking records, employment history and confidential documents, may have been stolen.
Given the breadth of the hack and the fact that the parties do not keep a record of those whose information is stored on their servers, the parties “determined it is impracticable to notify individuals” who may have been affected.
While the parties are yet to determine the specific data that had been stolen, they cautioned those in communication with the parties to “assume that any information you have provided would have been stored on the server”, and therefore compromised.
The Office of the Australian Information Commissioner says that in the event of a high-level data breach, where one or more individuals may be seriously harmed by the unauthorised access of data, both the affected individuals and the commissioner must be notified.
Organisations can be held liable for failing to take reasonable steps to protect personal information from unauthorised access, with a maximum penalty of $50 million. Fines were increased in 2022 following hacks at Optus and Medibank.
Registered political parties are exempt from the Privacy Act 1988, which covers data breaches; however, the United Australia Party has not been a registered party since 2022.
Australian organisations have been on notice of major hacks since the 2022 hacks of major companies Optus and Medibank.
Hackers took 520GB of data from Medibank in 2022 and published 9.7 million current and former customers’ information on the dark web.
The same year, the contact details, names and addresses of 9.8 million Optus customers were hacked, including 3 million customers’ passports.
Earlier this month, 5.7 million Qantas customers had their data hacked, including names, addresses, frequent flyer details, and membership status to the airline’s exclusive Chairman’s Lounge.
Between July and December last year, the commissioner received 595 notifications of data breaches, up 15 per cent from the previous six months. Malicious or criminal attacks were responsible for 69 per cent of the breaches.
When asked about the 24-day delay between the cyberattack and yesterday’s announcement, vice president of cybersecurity firm Darktrace Tony Jarvis said: “Best practice would be for the parties to notify the public as soon as possible, and to make a concerted and sustained effort to notify affected individuals and provide ongoing support.”
“The ransomware group appears to have gained comprehensive access to both organisations’ entire networks. That means people’s bank records, identity records, employment history, and documents subject to confidentiality agreements with registered political parties are potentially in the hands of cyber criminals,” he said.
United Australia Party and Trumpet of Patriots recommended that those potentially affected review all communications between themselves and the party to find out what information may have been leaked, and “carefully consider whether you need to take any action in response to the data breach on the assumption that the hackers may have accessed your data”.
The United Australia Party was a registered political party from 2013 to 2017, and from December 2018 to September 2022, but failed in a High Court bid to re-register before the last election. The Trumpet of Patriots was established to contest the 2025 federal election but failed to win a seat.
A spokesman for Clive Palmer and his parties was contacted for comment.
Cut through the noise of federal politics with news, views and expert analysis. Subscribers can sign up to our weekly Inside Politics newsletter.