Overview

• Both parties issued near-identical statements on July 17 warning that a June 23 ransomware attack may have exfiltrated internal data records.
• They still cannot determine which emails, attachments and confidential documents were stolen and say notifying individuals is impractical.
• Exposed information could include email addresses, phone numbers, banking details, identity files and employment histories.
• Systems are being secured and recoverable data restored from backups as the Office of the Information Commissioner and Australian Signals Directorate review the breach.
• Privacy lawyers say new statutory tort claims for serious invasions of privacy could expose the parties despite their exemption from the Privacy Act.