Peak privacy agency the latest to fall victim to Russia-linked cybercrime gang
Peak privacy agency the Office of the Australian Information Commissioner is the latest to fall victim to Russia-linked hackers.
The peak Australian government agency that monitors privacy breaches caused by cyber hacking has had its own data stolen by hackers – and has so far failed to notify potentially affected people about the risk to their privacy.
The Office of the Australian Information Commissioner has had data stolen by the Russian criminal ransomware gang known as BlackCat, or ALPHV. The hackers obtained the OAIC data after infiltrating the computer systems of blue-chip Australian legal firm HWL Ebsworth.
The OAIC is a client of HWL Ebsworth, with annual reports showing the firm is one of several hired to provide professional advice to the agency. Firms and organisations are required to report significant data breaches to the OAIC under the Notifiable Data Breaches scheme, and to notify potentially affected people if the data breach is likely to cause serious harm. An organisation or agency has up to 30 days to determine whether serious harm is likely to flow from the privacy breach, and to notify any affected people.
According to the OAIC website, examples of serious harm can include identity theft, fraud and financial loss, the likelihood of physical or psychological harm, or harm to a person’s reputation. It is not known when the OAIC discovered it had been hacked. The agency is headed by commissioner Angelene Falk.
A spokesperson said the OAIC systems had not been compromised, but confirmed some of the data it had provided to HWL Ebsworth had been compromised by the hackers.
“The OAIC can confirm that it is a legal client of HWL Ebsworth,’’ the spokesperson said.
“We have also been recently informed that some material provided to the firm has been compromised as a result of the cyberattack.
“The OAIC is in active dialogue with HWL Ebsworth to understand what information has been compromised.
“Consistent with requirements of the Notifiable Data Breaches scheme, any affected individuals will be notified.’’
The spokesperson did not answer questions about what data had been compromised.
HWL Ebsworth, which has done work for state and federal government agencies and large numbers of ASX top 50 companies, discovered it had been compromised in late April, and notified affected parties. It has since taken legal action to stop the hackers dumping data on the dark web. The cyber criminals have claimed to have stolen four terabytes of information, including financial information and credit-card numbers, and details about HWL Ebsworth’s clients.
The company has previously said it was working with OAIC – but it was not known until now that the privacy watchdog itself had suffered a data breach via the law firm’s compromise.
The OAIC monitors compliance with the breaches scheme, and tracks data breaches, which can occur through cyber hacking, loss of phones or other electronic devices, or a person’s private information being sent to the wrong person.
“When a data breach occurs, we expect an organisation or agency to try to reduce the chance that an individual experiences harm,’’ it says on its website.
“If they’re successful, and the data breach is not likely to result in serious harm, the organisation or agency doesn’t need to tell the individual about the data breach.’’
The OAIC is involved in the investigation into a massive hack of the Latitude buy-now, pay-later company, and has been involved in the response to the Medibank and Optus hacks.
As the nation’s peak privacy watchdog, it handles Australian privacy complaints, and oversees reviews of Freedom of Information request denials from large federal government agencies. On its website, it says it upholds the rights of the public to access government-held information, as well as the right to have personal information protected.
More Coverage
Uni sets up safe room for Jewish students
A university in Sydney has set up a high-security ‘safe room’ for Jewish students after some reported feeling at risk due to anti-Semitism on campus.
Cocktail hour at the Lodge for teals who could choose next PM
Teal and independent MPs received last-minute invitations for 6.30pm drinks at the Prime Minister’s residence on Monday and Tuesday, marking the first time that the teals have travelled to the Lodge since the 2022 election | WATCH