Peter A Clarke

The cyber attack of Trumpets of Patriots and the United Australia Party highlights two issues with privacy. The first is that political parties harvest huge amounts of personal information. Some of it relates to membership. Some is obtained through enquiries, surveys and data provided from other political sources, such as parliamentarians. Political parties operate on data. It is a critical part of messaging and lobbying. This cyber attack highlights a flaw in the Privacy Act 1988. Registered political parties are exempt  under section 7C from the operations of the Privacy Act 1988. The Privacy Commissioner has no power to investigate the breach. The question then is whether either or both the United Australia Party and the Trumpets of Patriots are “registered political parties.”  According to the Australian Electoral Commission the Trumpet of Patriots is a registered political party. The United Australia Party is not.  It has been deregistered and despite its best efforts in Babet v Commonwealth of Australia; Palmer v Commonwealth of Australia [2025] HCA 21 could not be re registered.  Interestingly the Trumpets of Patriots notified the Privacy Commissioner of the data breach.

That does not mean Trumpets of Patriots is immune from suit even if it is exempt under the Privacy Act.  

The story is covered in the Australian with Clive Palmer’s United Australia Party, Trumpet of Patriots hit in ‘ransomware cyber attack’.

Trumpets of Patriots/United Australia Party made the following statement:

We advise that a data breach occurred on 23 June 2025 which may have affected your personal information held by the following entities or other associated entities:

• • Trumpet of Patriots
  • United Australia Party

(the “Political Parties”)

What happened
On 23 June 2025, we identified unauthorised access to our servers resulting in access to, and the possible exfiltration of, certain data records. We were the subject of a ransomware cyber-attack.

What information was involved
The data records potentially include all emails to and from the Political Parties (including their attachments) and documents and records created and or held electronically by the Political Parties at any time in the past.

The compromised data may include your personal information which you have provided to the Political Parties or which it has created. This could include for example your email address, phone number, identity records, banking records, employment history, documents (including those provided subject to confidentiality arrangements) and the like.

We do not know comprehensively what information of yours was on the server but you should assume that any information you have provided would have been stored on the server. We do not keep a record of all individuals who were on the server. We have determined it is impracticable to notify individuals.

What we are doing
We have secured our systems and restored recoverable data from back up tapes.  We have reported the breach to the Office of the Australian Information Commissioner (OAIC) and to the Australian Signals Directorate.

What you can do
We recommend that you review your communications (emails and mail) with us to identify any information you have provided to us and consider what other information might be affected.

We recommend you carefully consider whether you need to take any action in response to the data breach on the assumption that the hackers may have accessed your data.

The action you might take could include monitoring your bank accounts, changing passwords, using multi-factor authentication, contacting your bank and being vigilant about use of your identity.

We urge you to follow general precautionary steps and remain vigilant about the misuse of your personal information.

Please remain alert especially with email, text messages or phone calls, particularly where the sender or call purports to be from the Political Parties.  You should always independently verify the identity of the caller by contacting them on a number available through official channels.