3 weeks ago
12
February 4, 2026 — 5:00am
Students’ behavioural testing records and parents’ personal information were leaked in data breaches that have plagued NSW departments since 2023, documents provided to state parliament reveal.
A parliamentary call for papers reveals eight cyberattacks across four state government departments, with one resulting in about 27,000 documents being downloaded from an external service provider to the Department of Communities and Justice.
The heads of public sector agencies are required to report the breaches to the privacy commissioner. The breaches highlight glaring weaknesses in the state’s digital defences, raising concerns about the safety of sensitive information held by the NSW government.
Those concerns were particularly acute across three incidents at the Department of Education between late 2023 and 2025.
In June 2024, a teacher at Cranebrook High, near Penrith, inadvertently downloaded malicious software on a departmental computer.
The malware ran searches for specific information and copied the files to a remote IP address. The file “contained the personally identifiable information of two individuals. The information relates to records of the students’ adaptive behavioural testing”, according to a report compiled after the incident.
Those tests are used to diagnose autism, intellectual disabilities and developmental delays.
“We will recommend that affected individuals receive mental health support services to manage any psychological or emotional harm arising from this breach,” the report recommended.
In late 2023, a “malicious insider” working as an IT administrator at The Forest High School and Kensington Public School deployed malware via servers on 39 teacher devices and three student devices “with the objective of stealing financial information” which was then moved onto a private Telegram channel.
The personal information was exposed for four months before the incident was reported to NSW Police and Cyber Security NSW. The department recommended affected individuals change the passwords for every website and online application they logged into over the period.
In August 2025, the personal mobile phone of an education department employee was compromised in a “SIM-swap attack” allowing the hacker to gain access to the bureaucrat’s workplace email, OneDrive and Share Point for 48 hours. The hacked drive account provided access to about 700 employees’ and parents/carers’ personal information.
A NSW Education spokesperson said: “All of the named incidents were detected by the Department of Education’s cybersecurity team, which acted immediately to contain these threats.
“The department worked with NSW Police and ID Support NSW to advise and support anyone affected.”
The department did not respond to questions about whether the three incidents were the extent of cyberattacks during that time period.
The papers also reveal the full extent of a major breach at the Department of Communities and Justice. A report completed by the department stated about 27,000 files were exfiltrated from Riverina Medical and Dental Aboriginal Corporation, an Aboriginal medical service, between late October 2024 and early 2025, with “a large portion” containing DCJ clients’ personal information.
“DCJ is working with RivMed’s team and our internal cyber unit to monitor the dark web for any publication,” the report stated, noting authorities were alerted to the breach after an extract was published on the dark web.
The department was hit by another major data breach soon after, which included the download of about 9000 “sensitive court files” such as domestic violence orders and affidavits.
Another cyberattack experienced by a service provider in Moruya, the state’s South Coast, cost $45,000 in insurance paid to iCare, the state insurer, according to the report.
The department said: “If such access occurs, DCJ takes all necessary action under the law and works closely with Cyber Security NSW and other authorities including police.”
Opposition digital spokesman James Griffin noted a report released by Audit Office of NSW last June warned cybersecurity across the NSW government required strengthening.
“People need to have trust that the government they need to deal with can keep their information safe. The government are clearly not focusing on this issue, and the data proves it,” he said.
The Audit Office found there had been 152 significant, high and extreme residual cybersecurity risks reported by 27 agencies in the 2024 financial year.
The Department of Primary Industries and Regional Development has also been affected.
The website of Tocal College, an agricultural educator, was placed offline in late 2024 after a ransomware attack on a third-party supplier, Winger Software. The cyberattack – which included personal information relating to 20,000 individuals – was revealed only after someone discovered a ransom note three days after the breach.
“The ransom note requested the system owner to contact an email address for further decryption,” the report said, noting 1GB of data was transferred out of the college’s network.
A DPIRD spokesperson said in relation to the incident: “The NSW Police, NSW privacy commissioner, Cyber Security NSW and the Australian Cyber Security Centre were notified.”
“DPIRD engaged the services of a cybersecurity forensics firm to conduct a forensic investigation to identify the root cause and to prevent recurrence.”
Nearly 40 customers were affected during a “high risk” breach at Valuation NSW in the Department of Planning, Housing and Infrastructure in early 2024. The unauthorised access to external firm Herron Todd White enabled the hacker to obtain the name of landholders, the lot number and spatial photos.
The unauthorised access to the firm’s system was discovered after irregular online activity was detected. The department estimated the data breach cost $8585.
A department spokesman said: “Value NSW took immediate action by suspending the firm’s services until the breach was rectified and wrote to affected customers to advise them of the incident,” he said.
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.
