A cyber breach affecting more than 400,000 cases in New South Wales (NSW) courts has exposed as many as 9,000 sensitive records to hackers.
Authorities remain uncertain how the system was accessed, and police say it is too early to determine whether confidential details—such as the names and addresses of domestic violence victims, minors, or witnesses—could end up for sale online.
Those potentially affected will have to wait up to a week to determine whether their information has been compromised.
The breach was detected on March 25, when Justice Department officials noticed unusual activity. One account had accessed or downloaded thousands of sensitive court files, including apprehended violence orders (AVOs) and affidavits that may contain witness statements.
On March 27, investigators confirmed they were still trying to determine the hacker’s identity, what files were accessed, and whether the account was compromised.
No Leads on Hacker’s Identity or Location So Far
Despite working closely with both the Department of Communities and Justice (DCJ) and Cyber Security NSW, authorities do not yet know who carried out the breach or whether the hacker is based overseas.
“These matters are incredibly complex and technical in nature, and are very difficult to investigate,” Smith told a press conference.
While he would not speculate on whether the hacker has obtained details of vulnerable individuals, he suggested anyone concerned to take precautions.
“If you have concerns about your safety as a result of this data breach, you should contact your local police station,” he said.
“If you believe that your identity documents have been compromised, ID Support NSW will [assist] in remediating your identity documents.”
NSW Government ‘Taking This Seriously’
State Attorney-General Michael Daley said it would take up to a week before investigators knew exactly what had happened and the nature of the data that the hacker viewed.“The important thing is the government is taking this seriously, because this is a system that stores public data securely,” he said.
“The experts have been looking through the dark web and employing other techniques that they use to work out what might have happened with the data,”
As of the morning of March 27, no stolen data has surfaced on the dark web or elsewhere, according to officials.
System Security Concerns Persist
JusticeLink, the court system’s case management platform, was introduced in the District and Supreme Courts in 2008.A 2019 NSW Auditor-General report flagged concerns about outdated technology and inadequate controls to ensure data accuracy.
The report found that “in the provision of data and technology services, the department is not effectively supporting the efficient operation of the District Criminal Court system.”
A user manual for the system says it can only be accessed by persons who have been invited to do so by the courts. Then, they must complete a registration form, submit it to the Justice Department, and create a username and password upon approval.
- User IDs had to be at least six characters long.
- Passwords had to be at least seven characters long and contain at least two numbers.
- Three unsuccessful attempts would lock the user’s account, requiring a manual reset via email.
- Users were automatically logged out after 30 minutes of inactivity.
Site Still Shows Signs of Vulnerability, Despite Patch
Security flaws remain, despite a system patch installed on March 26. A security analysis by The Epoch Times on March 27 found multiple vulnerabilities, including:- No web application firewall (WAF) to protect the site against common web attacks.
- Some HTTP headers related to security and privacy are missing or misconfigured.
- Web server version disclosure, which can help hackers exploit known vulnerabilities.
- Insecure cookie handling, which could allow unauthorised access to personal or tracking information
- No subresource integrity (SRI) checks, making the system vulnerable to JavaScript injection attacks, one of the most common methods for hackers to steal data.
