Top bureaucrat grilled over email release dubs own department’s risk assessment ‘overrated’

3 hours ago 3

A senior federal bureaucrat who ordered a trove of parliamentary emails to be released to a private company previously hacked by Russian criminals says she believed her own department’s cybersecurity risk assessment was “overrated”.

Jaala Hinchcliffe, the Parliamentary Services Secretary, has conceded she should have sought advice from the Clerk of the Senate before instructing her department to send hundreds of thousands – possibly millions – of emails and documents to a third party.

Senior public servant Jaala Hinchcliffe previously worked on law enforcement integrity and for anti-corruption agencies.

Hinchcliffe is now facing calls from the opposition for her conduct to be investigated. She has also been instructed by parliament’s presiding officers to retrieve the data for safe storage.

Federal politicians are worried that their confidential communications may have been compromised.

Hinchcliffe was advised in September last year that giving a private contractor full administrator rights to the department’s entire computer network posed an “extreme” risk of unlawful disclosure of sensitive information, including matters of national security.

There was particular concern among the department’s cybersecurity experts about handing the data to law firm HWL Ebsworth, given the company had been the victim of an extensive cyberattack in April 2023 by a Russian-based ransomware group.

She ordered the IT department to grant access anyway.

“I was of the view that the draft risk assessment that had been given to me had been overrated,” Hinchcliffe told a parliamentary committee, saying the law firm had assured the department it had upgraded its security protocols.

The released data was analysed by TransPerfect, which had been subcontracted by HWL Ebsworth to find information to support an investigation into potential wrongdoing by senior departmental colleagues, including former DPS secretary Rob Stefanic. Stefanic was sacked in December last year after the investigation.

All up, 170 GB of parliamentary data was released from parliament’s computer network under Hinchcliffe’s orders. Based on the average size of a plain-text email, up to 2 million emails may be contained in the cache.

Hinchcliffe has been told by parliament’s presiding officers, Senate President Sue Lines and House of Representatives Speaker Milton Dick, to retrieve the emails from HWL Ebsworth.

Lines said she was “uncomfortable” about so much parliamentary data being held by a third party, especially when some of the material may be subject to special legal protection and immunity under so-called parliamentary privilege.

“To satisfy all of us who are parliamentarians, and a potential issue of privilege, the data is best held here,” she told the Senate’s Finance and Public Administration Legislation Committee.

“It’s of concern to me, so bringing it back here takes that concern away.”

Asked by Liberal senator James Paterson if she had sought advice on parliamentary privilege, Hinchcliffe said she had not, saying she had based her decision on “first principles” that MPs’ data would not be handed to an investigation being overseen by barrister Fiona Roughley.

“But I concede, given the concerns raised in this committee, that it would have been beneficial for me to have sought advice from the [Senate] Clerk, which I did not do,” Hinchcliffe said.

Paterson responded: “Did you really prefer your own judgement over the Clerk’s judgement about the risk of parliamentary privilege?”

She replied: “Senator, I’ve conceded that I didn’t seek the advice of the Clerk and that it would’ve been better placed if I had.”

Liberal senator Jane Hume said she was deeply concerned that the Senate president was not informed of the data extraction until after it had occurred, despite IT’s risk assessment.

“I would have thought that this would constitute further investigation as a potential breach of the department’s code of conduct,” Hume told the committee.

Lines said she would consider strengthening data handling protocols, “to make sure there is an oversight in place”.

Asked by Hume if she retained confidence in Hinchcliffe, Lines said: “Yes, I do.”

Hume said she would formally request the Senate President seek advice from the Australian Public Service Commissioner about whether Hinchcliffe had breached the departmental code of conduct. Hume said she would also seek to hold an inquiry into potential breaches of parliamentary privilege.