The New South Wales government has declared a “significant cyber incident” after detecting an alleged internal data exfiltration at NSW Treasury involving confidential commercial and financial information across multiple agencies. According to the government, security monitoring systems identified a suspected transfer of a large volume of documents from Treasury to an external server. The material relates to several NSW government departments and projects and is understood to include commercial and financial records.
NSW Treasury referred the matter to NSW Police on Sunday, April 19, 2026. Police then established Strike Force Civic to investigate, and criminal charges were laid overnight. Police have indicated that their inquiries are continuing but that they believe all allegedly stolen data has been located and secured. At this stage, authorities say there is no evidence of an external compromise of NSW Treasury’s systems and no impact on the delivery of NSW government services.
The NSW Chief Cyber Security Officer is coordinating a whole-of-government response in line with the state’s cyber security plan. The incident has been classified as significant under state protocols because of the type of information involved and its reach across agencies. In a public statement, a ministerial spokesperson said: “I thank NSW Police and Cyber Security NSW for their rapid actions since Sunday.” The incident raises questions about the extent of exposure from insider activity, data movement between systems, and reliance on shared information repositories across multiple portfolios and projects.
The NSW incident comes as the federal government releases The Commonwealth Cyber Security Posture in 2025, an assessment of cyber security measures across Australian government entities for the 2024-25 financial year. As of June 30, 2025, the Australian government architecture comprised 194 entities: 102 non‑corporate Commonwealth entities, 74 corporate Commonwealth entities, and 18 Commonwealth companies. The posture report draws primarily on the Australian Signals Directorate (ASD) Cyber Security Survey, which in 2025 recorded a 94% participation rate, matching last year’s highest result since reporting began. The report assesses entities across three areas: cyber security hardening (with a focus on the Essential Eight mitigation strategies), incident preparedness and response, and leadership and planning for cyber security.
Among the findings:
The report notes that workforce training is common but uneven. In 2025, 87% of entities provided annual cyber security training, compared with 78% in 2024. However, the proportion providing annual privileged‑user training fell to 45%, from 51%. Supply chain risk assessments for applications, IT equipment, and services were conducted by 70% of entities in 2025, down from 74%in 2024. Cyber incident reporting to ASD remained relatively low. Only 35% of entities indicated they reported at least half of observed cyber incidents to ASD in 2024. Separately, ASD notified government entities 223 times in 2025 of potential malicious cyber activity based on its own visibility and telemetry. The report identifies legacy IT as an ongoing risk to the cyber security posture of entities. ASD issued guidance in 2024 on managing the risks of legacy IT and, in October 2025, released publications on “modern defensible architecture” to guide agencies as they invest in or update technical products and services, including the replacement of older systems.
In South Australia, community organisation Genealogy SA has confirmed a cyber incident after the SafePay ransomware group claimed to have stolen and leaked data from the society. Genealogy SA, founded in 1973 and formerly known as the South Australian Genealogy & Heraldry Society, runs genealogical and family history services with more than 4,300 members and around 230 volunteers. The organisation was listed on SafePay’s dark web leak site on April 16, 2026. The ransomware group threatened to publish data allegedly taken from Genealogy SA and has since released a data set it says was exfiltrated. The material reportedly includes business, financial and insurance documents, historic genealogical records, personal information in correspondence, and internal templates and labels.
In comments reported by Cyber Daily, Genealogy SA linked the leak to an incident identified earlier in the year. “We are aware of the claims made by SafePay. This relates to an incident that was discovered by us back in February 2026. Immediately at the time of discovering the incident, we engaged cyber security experts to contain and investigate the incident. We can confirm that the incident is resolved, and we have communicated with our members about the incident,” the company said.
