Exclusive: Supreme Court of NSW grants injunction in Wattle Range Council hack

The Supreme Court of NSW has granted an injunction restraining third parties from accessing or disseminating any data breached by the LockBit ransomware attack on South Australia’s Wattle Range Council.

The injunction was granted on 2 August in the wake of LockBit claiming the hack and publishing several documents to its leak site on 18 July.

Wattle Range Council shared the details of the injunction on its website on 3 August.

“Wattle Range Council has sought and been granted a court-ordered injunction to prevent the access, dissemination, or publication of Wattle Range Council data that has been or may be posted on the dark web by any third party,” a Wattle Range Council spokesperson said.

“We ask that interested parties do not try and access any Wattle Range Council data on the dark web as this is a criminal offence in contravention of the court order.

“Obtaining the injunction is part of our ongoing commitment to our community and staff to take all reasonable steps in response to this incident.

“As soon as Wattle Range Council became aware of this incident, we launched an investigation to ascertain what information is involved. This work is ongoing, and we will continue to provide further updates to our community as more information becomes available.”

A spokesperson for the council also added that the injunction applies to media reporting on the incident.

VIEW ALL

The council shared details of what data had been accessed on 19 July after being contacted by Cyber Daily.

“Our ongoing investigation has confirmed that some Wattle Range Council data has been accessed and taken from our IT environment. A priority of our investigation is to determine exactly what information was involved, and who it relates to,” a council spokesperson said.

“At this stage, we believe the information largely relates to files taken from a legacy server, which primarily contains publicly available information and internal working documents.”

The council also said it was aware of the data already published to the dark web and that it was monitoring LockBit’s site “to detect any further developments or publication of our data and will provide further updates as required”.

According to local news site The SE Voice, the council is remaining “tight-lipped” over the incident. A council meeting was held on 2 August, but minutes of the meeting are being kept confidential under section 90 of the Local Government Act. When asked further questions by The SE Voice, acting council chief executive Paul Duka shared the following statement.

“At this stage, the agenda and minutes of Friday afternoon’s special Wattle Range Council meeting remain in confidence, therefore there is no further statement,” Duka told The SE Voice following the meeting.


“We are continuing our investigations into what information was involved in the incident, and who it relates to, there are no further updates at this time.


“In the meantime, we ask the community [to] remain vigilant against potential phishing emails and other scam communications, and to watch our website for any updated information or advice on the incident.”

Speaking to the injunction on accessing and sharing data exposed by the incident, Annie Haggar, Principle at cyber security law firm CyberGC, said they were an important Incident Response tool.

"They can help to reduce the ‘stickybeaking’ that can occur when datasets are posted on the darkweb from those who do not have a ‘need to know’. This can help to reduce the harm to the impacted organisation and its clients by this data being further accessed and distributed by media organisations," Haggar told Cyber Daily.

"However, injunctions should not be used to stop the media reporting on breaches where it is a matter of public safety and enables a reduction in the harm caused to impacted individuals and organisations. In so many cases the media is the first place people learn about a breach, and it is not until weeks later that impacted individuals are notified by the breached organisation, during which time they could have taken action to protect themselves. Media organisations also have a responsibility not to increase the harm caused by the breach through their reporting – including by providing links to or directing traffic to the stolen data.

"We anticipate the increasing use of injunctions as part of an impacted organisation’s response to a cyber incident, and they have an important role to play. However, their use needs to be balanced between restricting publication of information in the interests of the public good and safety versus a false sense of security against voyeurism of the stolen datasets that actually only deters already law-respecting parties."

UPDATED 05/08/2024 to add commentary from Annie Haggar.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.