At least 9,000 sensitive court files – potentially including apprehended violence orders and details of minors – have been downloaded in a “major data breach” involving the NSW Department of Communities and Justice (DCJ).
On Tuesday, 25 March, cybercrime detectives were alerted to a breach of the NSW Online Registry Website (ORW), an online portal which provides access to sensitive information from both civil and criminal cases across the NSW court system.
NSW Police said the breach of the “secure online platform” saw approximately 9,000 sensitive court files accessed, including both apprehended violence orders (otherwise known as restraining orders or AVOs) and affidavits.
“Investigations remain ongoing to establish the full extent of the breach,” wrote NSW Police.
A spokesperson for the DCJ – which oversees the ORW – told Information Age it had identified the data breach and “implemented mitigation strategies to contain it”.
“DCJ is working to urgently identify and contact affected users and will provide updates as more information becomes available,” they said.
At the time of witing, no stolen data has surfaced online.
The NSW Police has urged anyone who thinks their details may have been compromised to make a report through the federal government's ReportCyber website.
DCJ terminates suspicious user account
NSW Attorney-General Michael Daley explained a DCJ cyber unit discovered the incident while performing “routine maintenance” of the registry system.
“They detected that some data within that system had changed,” said Daley.
"Upon further examination, they worked out that an account holder within the justice link system had gained an unlawful entry into that system.
“As soon as that breach was detected, the DCJ cyber experts moved quickly to shut down that user's account and rectify the vulnerability.”
While fronting press Thursday morning, Daley affirmed the suspicious account holder had “accessed 9,000 files”.
He added that over the weekend, DCJ investigators realised the suspicious user had “infiltrated a unit within the justice link system” with a malicious Python script.
The DCJ “patched the system” at 8pm Tuesday, Daley said, while the account and its malicious activities were halted last week.
Will the data leak?
While NSW police already affirmed some 9,000 court files were downloaded, Daley said it’ll be “about a week” before police know the “exact nature of the data that was viewed by the hacker”.
Daley added government was taking the matter “seriously” and working with both cybercrime detectives and private sector experts.
“The experts have been looking through the dark web and employing other techniques that they use to work out what might have happened with the data,” said Daley.
He added that as of Thursday morning, none of the affected data has appeared publicly “on the dark web or anywhere else”.
"Data hacks are a fact of modern life and the government is not immune," Daley told reporters.
Tony Vizza, managing partner at digital risk management firm Novera, told Information Age if the accessed files are encrypted, “a cybercriminal might not be able to do much” with them.
“But, if, for example, the downloaded information is not encrypted and is held to ransom with a threat to publish it, there are serious considerations and implications that could arise,” said Vizza.
“In these high-risk scenarios, hopefully there’s an incident response plan which the DCJ and police have activated to mitigate the potential risks to those exposed.”
Vizza added that legal proceedings “involve sensitive information” by nature, and documents related to legal proceedings “shouldn’t be under threat of public disclosure”.
“In this case, we know there are some AVOs impacted, and that’s a form of highly sensitive information that should not be in the public realm in any way,” said Vizza.
Identity of hacker unknown
Detective acting superintendent Jason Smith, commander of the Cybercrime Squad, said NSW Police became aware of the incident Tuesday and “immediately commenced an investigation”.
Despite working closely with both the DCJ and Cyber Security NSW, Smith police did not know “the identity or the origin of the threat actor,” and could not confirm whether they were potentially based overseas.
“We are trying to investigate to the best of our ability,” said Smith.
“These matters are incredibly complex and technical in nature, and are very difficult to investigate.”
Smith reiterated there were potentially sensitive documents involved in the incident, and “said if people have concerns for their safety” they “need to put measures in place and, if necessary, contact their local police.”
A similar 2023 hack at Courts Services Victoria – while never officially attributed to a specific hacker – was suspected to be tied to prominent ransomware group Qilin, believed to be headed by Russia-affiliated threat actors.
