‘Huge breach’: MPs fume over email transfer during investigation

More than 100,000 sensitive parliamentary emails and documents were handed over to a private law firm that had recently been hit by a major cyberattack, despite clear warnings about the extreme risks involved. In 2023, the Department of Parliamentary Services’ (DPS) deputy secretary, Jaala Hinchcliffe, ordered her IT team to hand over a vast trove of communications, including Microsoft Office files and Teams chats, spanning a 10-month period. The move was part of an internal investigation into possible wrongdoing by senior staff, including her then boss, Rob Stefanic, who was eventually sacked for loss of trust and confidence. Hinchcliffe, who had worked on law enforcement integrity and anti-corruption agencies, twice directed the department's IT to give the legal firm HWL Ebsworth access to parliamentary communications. Alarm bells rang within the DPS cybersecurity division because HWL Ebsworth had suffered a massive Russian ransomware attack just months earlier, resulting in 3.6TB of stolen data. Despite the cybersecurity experts flagging an "extreme" risk of unlawful disclosure, including potential breaches of national security and parliamentary privilege, Hinchcliffe did not reject or seek further clarification on the warnings. The data handed over included over 108,000 emails and 44,000 Office 365 records related to communications between several high-profile individuals, including Stefanic, a former deputy secretary Cate Saunders, who received a controversial $315,000 incentive to retire payment, and other senior public service figures. This investigation ran parallel to a National Anti-Corruption Commission (NACC) probe and a separate fact-finding inquiry by barrister Fiona Roughley. After the initial data transfer in July 2023, Hinchcliffe requested a further search when counsel believed some material had been excluded. This time, however, a data analyst contracted by HWL Ebsworth carried out the search, and the law firm’s contractor was granted full administrator access to DPS’s entire computer network—a move that further escalated cybersecurity concerns. Federal politicians expressed outrage over the potential breach of parliamentary privilege and confidentiality. Liberal senator Jane Hume warned that breaching such confidentiality could threaten democratic processes, while Greens senator Steph Hodgins-May criticized the department for conducting an overly broad sweep that collected communications from junior staffers with no involvement in the matter, calling it a “huge breach of trust.” Queensland senator James McGrath added that if emails were shared against explicit risk assessments, there should be serious accountability. The department maintains that HWL Ebsworth provided assurances and established protocols to manage the data, and that no parliamentary data was given to Roughley in her investigation. The inquiry into Saunders’ retirement payment uncovered conflicts of interest and procedural failures, including payroll errors leading to overpayment. The whole episode has sparked questions about balancing the need for internal investigations with protecting sensitive parliamentary communications, especially when involving third parties with recent cybersecurity vulnerabilities.