Australian cyber teams test data security controls after Court transcriptions offshored

The Federal Court of Australia has brought in CyberCX to test data and security controls of the technical platform used for transcriptions after some of the work was impermissibly handled by a company in India.

The ABC revealed exclusively in February that some transcription work contracted to VIQ Solutions had been subcontracted to a company in Chennai, in breach of contracts with the Courts.

A week later, the provider involved - VIQ Solutions - confirmed “data privacy incidents … in the performance of Australian-based transcription services.”

Since then, the Courts have scrambled to determine their potential exposure and to maintain continuity of transcription services, including by enacting contingency arrangements.

Domestic forensic efforts have been hampered by an alleged lack of openness by VIQ and by the company’s Australian operations being placed into voluntary administration.

Senators were told yesterday that the Canadian parent had repeatedly rebuffed requests to review an investigation report by “a leading independent cyber security firm”. A similar report commissioned locally was also allegedly being withheld.

Federal Circuit and Family Court of Australia CEO David Pringle told senate estimates that the next step for the Commonwealth was to explore legal avenues to get access to the report.

The actual contract for the transcription services is between VIQ and a Federal Court-based shared services entity.

Federal Court officials, led by CEO Sia Lagos, were equally frustrated at having their attempts to gather detailed forensics reports thwarted.

They have since brought in CyberCX to work collaboratively with the Court’s own internal cyber security team to review the limited information they have, and to assess data and security controls that were in place.

“Our cyber team have carefully reviewed VIQ system design documentation and are now working with the administrator’s [McGrathNicol’s] cyber security team to verify that with CyberCX,” Lagos said.

“Our cyber security team has worked directly with [the administrator] to be able to gain verification of certain controls as well as ensuring that CyberCX has the requisite access to what they require to be able to conduct their investigation on our behalf and provide us with a report.”

Lagos said that the Courts “had measures in place to know that [VIQ] had all the necessary security controls and their infrastructure was such that all of the data and all of the recording records were retained in Australia, encrypted to be only accessed in Australia and had not been transferred offshore.”

She said that the present assessment formed by local cyber security resources was that data from court proceedings that VIQ transcribed remained on servers in Sydney that were accessed “under strict control”.

However, that evidence was challenged by multiple senators, as there is nothing to definitively rule out whether information was screengrabbed or otherwise copied in the course of the work being offshored.

The various courts are still unsure how many transcripts may be caught up in the incident.

The Federal Circuit and Family Court of Australia suggested it may have 136 files that were affected, while the Federal Court put its number at 10, while noting it is based on months-old information.

While the impact remains unverified, the Courts have not made local privacy disclosures to affected litigants and related parties.

“Until we know the extent of the potential breach, it is actually very hard for us to form a view as to what steps we are required to take,” Pringle said.

“We don't have the relevant information to make the assessment as to whether we're required to and should do. 

“There are harms that can be caused by alerting people to issues when there might not be a need. It can cause all sorts of distress.”