This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Muswellbrook Shire Council

Summary

Muswellbrook Shire Council in New South Wales discovered unauthorised access to its IT environment on 4 December 2024. The SafePay ransomware gang subsequently published 175 gigabytes of stolen council data on 15 December 2024. The council notified relevant authorities including the Australian Cyber Security Centre, NSW Information and Privacy Commissioner, and the Office of the Australian Information Commissioner, and directly contacted affected individuals.

What Happened

On 4 December 2024, Muswellbrook Shire Council discovered a cyber incident involving unauthorised access by a third party to a portion of its IT environment. The council immediately worked to contain the incident and commenced an investigation into what occurred and what information may have been compromised.

On 15 December 2024, the council became aware that some of their data had been disclosed online when the SafePay ransomware gang published 175 gigabytes of stolen data. SafePay is a relatively new ransomware operation, first observed in late November 2024, and is believed to be Russian-speaking or based in Russia. Muswellbrook Shire Council was the gang's fourth victim in the Australia-New Zealand region.

Impact on Individuals

Following a detailed review of the stolen data, Muswellbrook Shire Council directly contacted individuals whose information was affected by the breach. The specific types of personal information compromised have not been publicly disclosed, but could include resident records, council employee information, and other data held by the local government.

Organisational Response

Upon discovery, Muswellbrook Shire Council immediately worked to contain the incident and commenced a thorough investigation. The council notified the Australian Cyber Security Centre (ACSC), the NSW Information and Privacy Commissioner (NSW IPC), and the Office of the Australian Information Commissioner (OAIC) about the incident in accordance with regulatory requirements. After conducting a detailed review of the compromised data, the council directly contacted affected individuals to inform them of the breach. +++

Verification Source: View original statement