Data breach of Victorian Court Services continues to attract coverage, now overseas.

January 5, 2024 |

Today’s Age has comprehensively covered the data breach of the Court Services system with Victims exposed in court hack ‘unlikely’ to be able to sue: legal expert. Bleeping Computer, a US based tech magazine, has reported on the breach with Victoria court recordings exposed in reported ransomware attack , a brief piece by cyberdaily with Victorian court systems allegedly breached by Qilin ransomware gang and Security with Victoria court records exposed following cyberattack.

As the Age article states, there would be challenges in bringing proceedings arising from this data breach.  But they may not be insurmountable.  It is most likely that the ransomware infected the system via an email and that someone in Court Services opened it.  Alternatively somehow the attackers obtained log in and password details allowing access.  Finally it may have been through a third party service provider.  Each of those means of ingress should be the subject of proper processes and training.  In my experience, they rarely are.  Often an audit of a system after a cyber attack reveals many, many flaws.

While the data breach probably does not involve a large number of individuals it is particularly significant because it involves court recordings which should be properly protected.  Especially where files involve sensitive information, of which some of the recorded evidence would be.  It is early days but the potential for continuing havoc is real.  Hackers have been known to release data when their demands have been rejected.  How the hackers thought the Government would pay a ransom is something of a mystery. 

The Age article provides:

Sex abuse victims and underworld informants whose testimonies could be leaked online after a hack of the Victorian court system are highly unlikely to be able to sue for damages, according to a University of Melbourne law professor.

The Victorian government is still unsure how many people have been exposed by the hack as it tries to determine what actions those affected can take.

Professor Jeannie Paterson, the co-director of the Centre for AI and Digital Ethics at the University of Melbourne, said if an affected person sued the State of Victoria, they would need to show that a Court Services Victoria officer had been negligent.

“It’s not clear that anybody was negligent in this case,” said Paterson, pointing out that hackers were constantly trying to breach systems and when they succeeded, it was not always an indication of fault on the behalf of an organisation.

“You would have to show an officer or agent had done something really careless in managing that system that was hacked, otherwise it’s going to be really difficult to seek compensation through litigation.”

Court Services Victoria confirmed this week that hackers had gained access to part of one of its systems that manages audiovisual recordings for all courts, including video recordings provided under witness protection and at trials protected by suppression orders.

Chief executive Louise Anderson has said that recordings of some hearings of courts and tribunals between November 1 and December 21 may have been accessed.

Cybersecurity specialists have speculated that the Court Services Victoria hack is probably the work of Russian ransomware group Qilin or one of its affiliates.

Paterson said the cybersecurity breach was horrible and there should be another form of compensation – such as ex gratia payments from the government – to recognise the emotional harm that had been caused.

“An administrative solution to compensation for harm caused by data breaches within the court system is preferable to litigation,” Paterson said.

“Litigation is difficult in this context, for reasons relating to judicial immunity, limitations on suing the Crown and even showing the breach was due to negligence as opposed to criminal activity. Additionally, litigation is expensive and traumatising for people already traumatised by the breach.”

Health Minister Mary-Anne Thomas did not respond directly when asked at a press conference on Thursday if the government was considering compensation.

“At this stage, I’m asking anyone that may have been impacted by that breach to register with the hotline that’s been established by Court Services Victoria,” Thomas said.

A state government spokesperson later said Court Services Victoria was working closely with cybersecurity experts to determine how many people had been affected.

“We understand this is a distressing time for those involved and the sensitivities involved with such information being accessed,” the spokesperson said. “We are also seeking advice on what actions people who have been affected by the incident can take.”

Peter Clarke, a barrister who specialises in privacy law, agreed it would be difficult to seek compensation through litigation.

However, he said ransomware attacks were commonly delivered because someone had opened an attachment or clicked on a hyperlink in an unfamiliar email.

Clarke said actions could potentially be brought against the State of Victoria if staff had not received proper training in cybersecurity or IT services did not have proper systems for filtering emails.

“But this is all frontier territory. As far as the law is concerned in Australia, it’s not a very commonly litigated area,” he said.

“There have been cases – and I’ve been involved in a few – but they all settled.”

Kim Price, the deputy managing principal of Victoria’s largest institutional abuse legal practice Arnold Thomas & Becker, said he was concerned about the potential breach of privacy of one of his clients and several witnesses.

“The attack is extremely concerning. We represent a large number of clients and witnesses, who have provided evidence on the condition of anonymity and will be very worried about this breach of privacy,” he said.

Price said compensation may apply in certain circumstances, such as if an individual had suffered loss or damage as a direct result of the breach of privacy.

“There is also a chance, given the scale of this breach, that it warrants a class action. The personal data of a significant number of people has been compromised.”

One person who said they had had a closed court hearing involving child sex abuse matters during the November-December timeframe emailed court services saying they believed they had been affected by the breach.

In the email, which was seen by The Age, the person said they were extremely disappointed and upset given they had been guaranteed anonymity and would appreciate a follow-up about what was being done about this serious matter.

The Age yesterday reported those affected would be unable to apply for compensation through the state’s privacy watchdog because the court system is exempt from legislation in the Privacy and Data Protection Act.

“In light of this data breach, the Victorian government should look at whether maintaining this broad exemption remains appropriate, particularly since courts in other jurisdictions are subject to privacy laws in relation to their administrative function,” said Marlia Saunders, a partner at corporate law firm Thomson Geer.

Anyone who believes they may have been affected by the cyber incident should contact the dedicated call centre set up by CSV on 03 9087 6116 to seek further information and register their concerns, the state government spokesman said.

Leave a Reply

Verified by MonsterInsights