Tasmania's Tafe system, the state's Teachers Registration Board and the office of the Commissioner for Children and Young People have been caught up in a recent Tasmanian government data breach — but a security expert says reporting about hack needs to be measured.
On Good Friday, the Tasmanian government said 16,000 documents had been released online after hackers accessed data from the Department of Education, Children and Young People through the third-party file transfer service GoAnywhere MFT.
The Education Department's website said the data included the names of children and the school they attended, their home room and year group.
It also potentially included the bank account details and birth dates of TasTafe students.
Those affected have been sent emails urging them to monitor their bank accounts and report any suspicious financial activity.
On the weekend, Tasmania Police Chief Commissioner Donna Adams and Secretary of the Department of Premier and Cabinet Jenny Gale took the unusual step of writing a joint letter to members of the Labor Opposition and media outlets, urging them not to give further coverage to the topic because it could increase the state's vulnerability to cyber attacks.
"Cyber criminals … operate as organised crime and work on a ransomware business model that creates uncertainty and fear. The current media environment is fuelling that business model," they wrote.
"I would appreciate your cooperation by heeding the same advice and not doing any further media.
Commissioner Adams and Ms Gale said authorities would now only be providing comment on the breach "if there is a significant event to inform the community."
"[We] would strongly encourage a united approach," they said.
"The security advice is that continual coverage … can increase the cyber risk to Tasmania."
The reaction to the letter was swift on social media, with several Labor figures and lawyers labelling the direction "extraordinary" and "outrageous".
"Advice to government being extended to try and silence the opposition from asking critical questions?" Labor's Josh Willie wrote on Twitter.
Greg Barns SC from the Australian Lawyers Alliance said it set "a very troubling precedent".
"In a democracy we rely on opposition parties, and we rely on the media, to keep government accountable," he said.
"Some very serious matters have been raised about the competence of the Rockliff government's handling of this matter and it's incumbent on the opposition and the media to ensure that they continue public scrutiny of the government.
"We have not seen in Australia any police commissioner do anything like this in such a ham-fisted way.
"It's saying if there's any compromise of Tasmanian databases, we shouldn't talk about it, we should just let the government have their way".
Alastair MacGibbon, a former national cybersecurity adviser to the federal government and chief strategy officer for advisory firm CyberCX, has been engaged to provide provide technical assistance to the Tasmanian government on the data breach.
He told ABC Radio Hobart one of the first tasks was to assess its "blast radius".
"We certainly have seen [hackers] contact journalists, and just like in terrorist situations or in situations of self-harm, there does need to be caution sometimes on how these things are reported," Mr MacGibbon said.
"That shouldn't be read as saying the media shouldn't report it.
"The intent of the letter seems to be not about asking questions per se, but the reporting of it and how it could be used by the hacker and thousands of people who might be concerned about their data."
Mr MacGibbon said in previous incidents like the Medibank security breach, the media was used by offenders to amplify the impact.
"They are real offenders and they cause real harm," he said.
"They'll try to extort money from victim organisations and if you don't do what they want, they'll try to create more harm through publicity, to warn the next victim, 'you'd better cooperate with me'.
"In terms of blame for the government, that'll come out in the wash — but clearly governments are always exposed to questioning by the media and the opposition as part of the parliamentary process. And the media has a big role to play in educating the public about what to do if their information is leaked."
The breach of the US-based third-party file transfer service GoAnywhere MFT was first revealed at the end of March.
At first, Science and Technology Minister Madeleine Ogilvie said there was "no indication" government-held data had been compromised, but added the investigations were "ongoing".
A few days later she announced there was a risk sensitive data — including names, addresses and bank account numbers held by the Department of Education, Children And Young People — had been accessed.
Finally, on Good Friday, Ms Ogilvie announced that the breach involved up to 16,000 documents.
"My concern is for individual students, parents; we need to triage that, we'll be working through that," she said.
