Domestic and family violence victim-survivors who are concerned their safety may have been compromised have been advised to take precautions after a major data breach at the New South Wales Department of Communities and Justice (DCJ).
The state attorney general, Michael Daley, said on Thursday that the hacker gained unlawful entry to part of the state’s secure online court registry system via a registered account and accessed 9,000 files.
The breach was detected during a routine maintenance and security check of the Justice Link system last week.
“What we don’t know yet is which files were actually accessed, what the hacker did with them, whether he or she just viewed them or downloaded and shared them,” Daley told reporters.
The exact contents of the breached NSW online registry files would not be known for about a week, the government said on Thursday. But they could contain the details of victim-survivors of domestic violence – including children.
Acting Supt Jason Smith from the NSW police cybercrime squad said the data “potentially” contained the details of both AVOs and of minors whose data was held by the department.
He said victim-survivors who believed their safety was at risk “certainly” needed to take precautions.
“There are potentially sensitive documents and if people have concerns for their safety, they need to put measures in place and, if necessary, contact their local police,” Smith said.
Police were made aware of the breach on 25 March and it would be about a week until cybercrime detectives would be able to give exact details of the files that were accessed and what the hacker viewed, Daley said.
“People might be concerned about having their data accessed”, he said. “If they feel that their safety or security has been threatened, they should call the police straight away.”
The hacker’s motivation and identity were not known, including whether they acted alone, were based overseas or were a government employee, Smith said.
after newsletter promotion
The hacker used a Python script to infiltrate a unit of the Justice Link system, with the breach initially appearing as changes to some data, Daley said.
“As soon as that breach was detected, the DCJ cyber experts moved quickly to shut down that user’s account and to rectify the vulnerability, Daley said. “As soon as they did that, the hack stopped.”
A security patch was added to the system and tested on Wednesday evening, closing the vulnerability, he said.
The attorney general added that no data from the breach had been found on the internet, including on the dark web.
While confident the systems to detect cyber breaches had in this case “worked”, the minister admitted that sensitive details held by the DCJ should not be “out there, and that’s why the government spends a lot of time and money and effort and employs the best government and private sector experts to keep our system safe”.
“But, unfortunately, in a modern world, this happens sometimes,” Daley said.
