The New South Wales government has shut down claims that it was hit by a data breach after a ransomware group leaked an alleged sample of 200GB in stolen data to the dark web.
The alleged leak first appeared on Tuesday, when threat actor ‘Nova’ listed NSW Government on its dedicated ransomware blog.
The Russian-speaking group said it had exfiltrated over 200GB in “sensitive data” from a NSW Government network, before posting a countdown timer to threaten its full release.
"Contact us for deal, make sure that any leak can lead you to legal actions and trust lost [sic],” read Nova’s post.
In a statement to Information Age, NSW chief cybersecurity officer Marie Patane said there was “no evidence of any sensitive information being accessed” at the time of writing.
“Cyber Security NSW is aware of a query which is being looked into by Public Sector agencies,” said Patane.
“The only sample files provided are publicly available and historical information.”
Nova claims it has a buyer
Nova’s dark web post included a sample of the allegedly stolen government data: three files relating to “emergency response projects” in the early 2010s, and four PDFs depicting topographic maps for rural NSW localities.
Information Age was able to locate four of these files via publicly available government domains.
NSW Government appeared on Nova’s dark web blog, alongside droves of ransomware victims. Source: Nova’s dark web blog.
Despite the seemingly weak data sample, Nova claimed it had secured a lucrative offer for the full dataset.
“Got offre [sic] to sell the data with 704k USD,” wrote Nova.
“We are not ready to sell the data yet.
“We looking for negotiation with the company.”
At the time of writing, Nova’s countdown timer sits at approximately 13 days and 4 hours.
Fake data breaches are bad for business
Nova operates on a ‘ransomware-as-a-service’ (RaaS) model where affiliates can deploy the gang’s ransomware for a cut of any extorted payments.
Mandy Turney, adjunct lecturer in cyber criminology at The University of Queensland, noted these groups largely rely on their reputation, and victims believing that hackers have indeed “compromised their systems, stolen the data and will leak it if unpaid”.
Still, Turner said there have been cases where “groups, or actors masquerading as known threat groups” have exaggerated or fabricated a breach – including by misrepresenting previously leaked datasets or public information as newly stolen data.
“This can help improve their reputation among other ransomware operators and affiliates and can scare potential victims into paying without verifying their claims,” said Turner.
Notably, Nova maintains a list of banned affiliates – most of whom appear to be members of Russian-speaking hacking forums who were struck down for violating Nova’s policies.
“Any participant listed here must be banned by all RaaS providers, otherwise [companies] will lose trust in the group and the process,” Nova wrote in Russian.
The group has made 140 leak posts since April 2025, with NSW Government marking the gang’s first Australian listing.
NSW public services rife with breaches
There have been at least seven data breaches related to NSW public services since 2020.
In the most recent breach in April, NSW Treasury revealed a public servant had allegedly stolen thousands of government documents across multiple departments and projects.
When asked whether there were sufficient penalty and remediation measures in place regarding local governments’ approach to data breaches, Turner said “penalties, or threats of penalties, are not necessarily going to make a system and its processes more secure”.
Turner noted that although government data breaches can be of “national security concern”, can negatively impact public trust, and can pose significant identity-theft risks to affected individuals, NSW Government appeared to be “focusing on continual improvements” to its cybersecurity posture.
“They are trying to respond to the emerging threat landscape with proactive concepts, such as building on cyber-resilience, enhancing reporting mechanisms and requirements, and being transparent,” said Turner.
“It is a fine balancing act between the carrot and the stick, and they are doing what they can to continually improve their approach.”
