James Paterson (Victoria, Liberal Party, Shadow Minister for Cyber Security) Share this | Link to this | Hansard source

My question is to the Minister representing the Minister for Home Affairs, Senator Watt. The Australian reported last week that Commonwealth government data was stolen by Russian hackers who infiltrated the systems of law firm HWL Ebsworth. Will the government reveal what data has been stolen and when the government knew that Commonwealth data had been compromised?

Murray Watt (Queensland, Australian Labor Party, Minister for Agriculture, Fisheries and Forestry) Share this | Link to this | Hansard source

Thank you, Senator Paterson. It won't surprise Senator Paterson that we're not going to be revealing the data that appears to have been hacked by Russian hackers. I'm actually a little surprised that Senator Paterson would expect that we would do such a thing. But, certainly, the Australian government is aware of a cyber incident impacting HWL Ebsworth.

On 1 May 2023, HWL Ebsworth reported a cyber incident involving ransomware and claims of data exfiltration and publication to the data web. On 8 May 2023, HWL Ebsworth provided initial notification to the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme. On 9 June 2023, HWL Ebsworth became aware that a threat actor had claimed to have published at least 1.4 terabytes of exfiltrated data on the dark web.

The government continues to actively engage HWL Ebsworth as it investigates the extent of the breach, including impacts on Commonwealth information. HWL Ebsworth has begun notifying impacted clients regarding their information identified as compromised as part of this breach. This process remains ongoing and will take time to complete due to the scale of the impacted data.

The government is continuing to work with HWL Ebsworth to understand and manage potential consequences of the publication of the data. Of course, specific inquiries relating to this incident should be directed to HWL Ebsworth. I am aware that the firm is working with clients and the OAIC to meet relevant obligations under the Privacy Act 1988 and ensure that affected individuals are notified as soon as possible.

The:

Senator Paterson, first supplementary?

James Paterson (Victoria, Liberal Party, Shadow Minister for Cyber Security) Share this | Link to this | Hansard source

How many Australian businesses and individuals have been impacted by this data breach and have they been informed that their data has been compromised?

Murray Watt (Queensland, Australian Labor Party, Minister for Agriculture, Fisheries and Forestry) Share this | Link to this | Hansard source

ATT (—) (): Again, Senator Paterson, I don't think you can seriously expect that we're going to be putting into the public domain the sort of information that you're seeking there as to the number of businesses that are affected. These are obviously very sensitive matters.

Sue Lines (President) Share this | Link to this | Hansard source

Minister Watt, please resume your seat. Senator Paterson?

James Paterson (Victoria, Liberal Party, Shadow Minister for Cyber Security) Share this | Link to this | Hansard source

On a point of order, the government was able to share these sorts of numbers in relation Optus and Medibank attacks—

Sue Lines (President) Share this | Link to this | Hansard source

Senator Paterson, that's not a point of order; it's a debating point. Minister Watt, please continue.

Murray Watt (Queensland, Australian Labor Party, Minister for Agriculture, Fisheries and Forestry) Share this | Link to this | Hansard source

Senator Paterson, I'd be interested to go back and see who actually provided what information in relation to those data breaches, because I certainly recall that, in a number of instances, it was the companies themselves who decided to put that kind of information into the public domain. The other part of your question was whether affected individuals or organisations have been notified. In my previous answer, I made the point that HWL Ebsworth has begun notifying impacted clients regarding their information identified as compromised as part of this breach. But this process does remain ongoing. It will take time to complete due to the scale of the impacted data, but the government takes this seriously and is continuing to work with HWL Ebsworth.

Sue Lines (President) Share this | Link to this | Hansard source

Senator Paterson, second supplementary?

James Paterson (Victoria, Liberal Party, Shadow Minister for Cyber Security) Share this | Link to this | Hansard source

On 27 February, the Minister for Home Affairs shared that she expected to have the newly announced cybersecurity coordinator in place, and I quote, 'Within the next month'. That was almost four months ago. When will the new cybersecurity coordinator be appointed and announced?

Murray Watt (Queensland, Australian Labor Party, Minister for Agriculture, Fisheries and Forestry) Share this | Link to this | Hansard source

I'm happy to take your direction, President. I don't know whether that question actually does relate to the primary. Obviously, it still involves cybersecurity, but being the generous person that I am, I'm willing to answer the question from Senator Paterson. The Prime Minister announced the establishment of a coordinator for cybersecurity and the National Office for Cyber Security on 27 February this year. This role will ensure a centrally coordinated approach to deliver government cybersecurity responsibilities and lead across the Australian Public Service the coordination and triaging of action in response to a major cyber incident. I know it's the minister's intention to announce the new coordinator in the coming weeks. The minister has taken the time to make sure that we get the very best possible appointment to that role. And I might point out that, of course, this is the first time we've had an Australian minister for cyber security in the cabinet, so I think this government's record is strong.