Share this article on:
Russian hackers have breached the systems and stolen the data of Australia’s privacy watchdog, the Office of the Australian Information Commissioner (OAIC).
The government agency, which is responsible for monitoring data breaches from cyber attacks, has seen its own data stolen by the Russian state-backed hacking group ALPHV (also known as BlackCat).
The threat group got its hands on the OAIC’s data after it gained access to the systems of Australian legal firm HWL Ebsworth in late April, of which the OAIC is a client.
The OAIC has said it is currently in talks with HWL Ebsworth to confirm exactly what data was stolen.
“The OAIC can confirm that it is a legal client of HWL Ebsworth,’’ a spokesperson for the OAIC told The Australian.
“We have also been recently informed that some material provided to the firm has been compromised as a result of the cyber attack.
“The OAIC is in active dialogue with HWL Ebsworth to understand what information has been compromised.”
Under the OAIC’s “Notifiable Data Breaches scheme”, organisations affected by data breaches are required to report them to the OAIC, as well as notify any affected customers if the breach is believed to have potential to cause serious harm, such as identity theft, fraud, financial loss and physical or psychological harm.
Organisations have 30 days to determine whether a case is likely to cause serious harm.
While it is unknown when the OAIC discovered that hackers had accessed its data, it has said that it will comply with the Notifiable Data Breaches scheme and notify anyone who has been affected.
“Consistent with requirements of the Notifiable Data Breaches scheme, any affected individuals will be notified,” the spokesperson added.
The OAIC spokesperson also urged that while some of the agency’s data was compromised through the HWL Ebsworth hack, its own systems remain intact.
This comes just as HWL Ebsworth has announced that it has secured an NSW Supreme Court injunction that aims to prevent hackers from publishing stolen data.
While the primary target for this was the ALPHV hackers, the injunction will also have the effect of preventing media or any other parties from reporting details of the stolen data.
Despite this, cyber experts have expressed concern that hackers may not only ignore the injunction but also be angered by it, causing them to act increasingly maliciously.
“On the one hand, the injunction may dissuade casual looky-loos from accessing the data and also stop reporters from using it as the basis for stories,” said a ransomware researcher for New Zealand security firm Emsisoft, Brett Callow.
“On the other hand, it’s unlikely to stop ALPHV from releasing the data and may actually provoke them into releasing it more quickly or distributing it more widely than they otherwise would.”