The personal details of Australian federal police officers have been leaked on the dark web, according to the police association, as part of a wide-ranging data breach that could threaten other high-profile agencies.
The AFP is a client of the law firm HWL Ebsworth, which was hacked by a Russian-linked ransomware group in April, sparking fears that highly sensitive information would be widely distributed.
Alex Caruana, the federal police association’s president, said the breach was concerning.
“Affected members have approached the [association], and we are aware of the issue and hold concerns about the impact this data breach may have on them,” Caruana said.
“We believe our members’ information has been placed on the dark web, and we trust the AFP to investigate this matter and look after the affected members.”
The hack was perpetrated by the ALPHV/Blackcat ransomware group, which started publishing material online not long after the breach was confirmed.
At least 60 departments or government agencies have used HWL Ebsworth’s services over the past decade, including the defence department, home affairs, prime minister and cabinet, Services Australia and the fair work ombudsman.
The departments and agencies used the law firm for legal services and advice, sometimes on sensitive areas of work.
A spokesperson for the law firm said it was not appropriate to comment on specifics of any affected information.
“HWL Ebsworth is concerned to protect the privacy and confidentiality of any parties impacted by the incident,” a spokesperson said.
The law firm has obtained a non-publication court order designed to prevent dissemination of the published material.
The AFP declined to comment.
Australia’s new cybersecurity coordinator, Darren Goldie, has previously confirmed that sensitive and personal government information had been posted online by the ransomware group.
The Russian group operates as a “ransomware-as-a-service” provider, which is a subscription model that gives affiliates access to ransomware tools to attack organisations.
On Friday the Dymocks book chain reported that contact records for 1.24m customers had been stolen and made available on the dark web in a separate hack.
The company said the information leaked was limited to contact information such as names, addresss, phone numbers, emails, membership details and date of birth. It said passwords, identification documents and information related to transactions such as credit card details and passwords had not been compromised.
The chief executive, Mark Newman, said in a letter to customers the company was “devastated” by the leak, which he said appeared to have occurred in the systems of “an external data partner”.
“I cannot begin to express how devastated the team and I feel about this incident,” Newman wrote. “We apologise unreservedly that the compromise has occurred and we’re committed to looking for ways to further strengthen the measures that we and our partners take to keep your information safe.”