Sensitive parliamentary documents handed to private company against risk advice

Federal politicians say they fear confidential communications may have been potentially compromised.

Exclusive: More than 100,000 sensitive parliamentary emails and documents were handed to a private company that had been the victim of a massive cyber hack by Russian criminals, despite warnings that granting such access posed an "extreme" risk.

9News, The Age and The Sydney Morning Herald can reveal that federal parliament's second most senior bureaucrat ordered her department to surrender a search of all emails, Microsoft Office files and Teams chats over a 10-month period in 2023 in a bid to investigate potential wrongdoing by senior colleagues, including her then boss.

Jaala Hinchcliffe, then deputy secretary of the Department of Parliamentary Services (DPS), last year twice oversaw an order for the IT team to give the department's lawyers, HWL Ebsworth, access to parliamentary communications.

READ MORE: Scott Morrison says net zero timeline 'just ideology'

In the second instance, a private contractor was given full administrator rights to DPS's entire computer network, despite the department's cybersecurity experts warning this risked unlawful disclosure of sensitive information, including matters of national security.

There was particular alarm inside the DPS cybersecurity division about unfiltered data being handed over to HWL Ebsworth, given the company had been the victim of a massive cyberattack in April 2023 by a Russian-based ransomware group.

In that attack, 3.6TB of data was stolen from HWL Ebsworth, which has dozens of government agencies as its clients, including Home Affairs, Defence, the Australian Federal Police and Prime Minister and Cabinet.

Computer networks are used by federal MPs and senators and their staff to conduct their work, some of which has legal protection and immunity under so-called parliamentary privilege.

Federal politicians have told 9News, The Age and The Sydney Morning Herald they fear confidential communications may have been potentially compromised.

"If this investigation has breached that parliamentary privilege, well, then that confidentiality has been breached also, and that's really a threat to the democratic processes that we rely upon," Liberal senator Jane Hume said.

Greens senator Steph Hodgins-May said it was a "huge breach of trust from a government department that, frankly, doesn't pass the pub test".

Hinchcliffe was investigating the propriety of a $315,000 "incentive to retire payment" to former department deputy secretary Cate Saunders, who had a personal relationship with Rob Stefanic, the DPS secretary until December 17 last year, when he was sacked.

Stefanic was dismissed by Senate President Sue Lines and the Speaker of the House of Representatives, Milton Dick, citing a loss of trust and confidence.

Hinchcliffe became acting secretary in November and was appointed formally to the role in March this year.

READ MORE: Trump orders 'immediate' testing of nuclear weapons

The National Anti-Corruption Commission (NACC), which is currently investigating the payment to Saunders, raided parliament on October 3 last year.

But four months before the NACC raid - and a month before DPS asked barrister Fiona Roughley to begin a separate "fact-finding" probe - Hinchcliffe had begun her own investigation into Stefanic, her then boss, and the payment to Saunders.

She asked the department's IT team to search for communications between February and November 2023 involving 10 people, including Stefanic, Saunders, the Australian Public Service Commissioner Gordon de Brouwer and senior staff, as well as seven key words or terms: including incentive to retire, ITR, Secretary, APSC and Commissioner.

According to documents seen by 9News, The Age and The Sydney Morning Herald, the search generated more than 108,000 emails and 44,000 Microsoft Office 365 records - many more if duplicates retrieved from multiple computer systems were included.

This data was sent to HWL Ebsworth in July last year.

But Hinchcliffe was not satisfied.

She told the IT department the next month that counsel for the department believed potentially relevant materials had been "inadvertently excluded" from the data.

She requested another search but this time conducted by a data analyst contracted by HWL Ebsworth.

A risk assessment conducted by the IT and cyber section of DPS concluded Hinchcliffe's request carried "extreme" risk on two fronts: the potential breach of confidentiality, including matters of national security; and the potential release of material subject to parliamentary privilege.

Hinchcliffe was sent the advice on September 4 but 9News, The Age and The Sydney Morning Herald has been told she neither approved, rejected or sought further details on the advice.

The next month DPS IT was directed to give HWL Ebsworth's contractor full systems administrator access to the department's computer systems, data and networks, which occurred over two to three days.

In a statement, DPS said HWL Ebsworth "provided suitable assurances to facilitate the provision of this information, with mechanisms and protocols established to manage all data".

Queensland LNP Senator James McGrath said he would be concerned if sensitive communications were shared beyond the parliamentary network.

"If public servants have released emails to a third party against a risk assessment which advised them not to release those emails, then heads should roll," McGrath said.

Hume said that DPS, in pursuing alleged misconduct, may have breached confidentiality.

"The idea that the department would potentially share information that was already privileged with a third party, and that that third party had had a cyber breach only 12 months before that, to me, sets off alarm bells," she said.

Hodgins-May said that while it was important to investigate potential wrongdoing, "methods absolutely matter".

"What we've seen is a dragnet that's trolled through and captured over 100,000 emails, sweeping up correspondence between even junior staffers with no suggested involvement in this, and then handing it over to a third party," she said.

The DPS-ordered external investigation of the payment to Saunders, conducted by Roughley, found there were conflicts of interest as well as multiple procedural failures, including the exclusion of specialist payroll staff, resulting in overpayment.

DPS said Roughley was provided with access to DPS information relevant to the scope of her investigation.

"No Parliamentarian or Parliamentary data was provided to Dr Roughley," the department said.

"DPS can confirm that legal advice and other contracted services were sought from national law firm HWLE Lawyers to support Dr Roughley's fact-finding investigation, and DPS's engagement with relevant Commonwealth agencies, including the NACC."

Before joining the Department of Parliamentary Services, Hinchcliffe was deputy commissioner at the National Anti-Corruption Commission and a former Australian Commissioner for Law Enforcement Integrity.

DOWNLOAD THE 9NEWS APP: Stay across all the latest in breaking news, sport, politics and the weather via our news app and get notifications sent straight to your smartphone. Available on the Apple App Store and Google Play.