Cyber incidents linked to third-party suppliers used by the New South Wales government have more than quadrupled in two years, revealing significant vulnerabilities in the state's digital supply chain. The surge highlights the growing threat of supply chain attacks to government services and data.
Sydney-based real estate firm The Property Business has been hit by the Kairos ransomware group, with 164GB of data reportedly stolen. The attack highlights the growing threat to Australia's property sector, which holds sensitive client financial and personal information.
The U.S. has charged Ukrainian national Volodymyr Tymoshchuk for his role in the LockerGoga, MegaCortex, and Nefilim ransomware attacks that targeted over 250 American companies and hundreds more worldwide. The State Department is offering a $10 million reward for information leading to his arrest.
Cyber incidents linked to third-party suppliers used by the New South Wales government have more than quadrupled in two years, revealing significant vulnerabilities in the state's digital supply chain. The surge highlights the growing threat of supply chain attacks to government services and data.
Cyber News Centre's cyber update for 18th September 2025: Across Australia, supply chain vulnerabilities are fast becoming one of the most pressing challenges for government agencies. Nowhere is this clearer than in New South Wales, where third-party suppliers have become a growing target for cyber incidents.
The Update: Cyber incidents linked to third-party systems used by the NSW government have more than quadrupled over the past two years, with 17 incidents recorded in the 2023-24 financial year, compared to just four in 2021-22. The figures, revealed under a Government Information Public Access Act (GIPA) request, show a steady increase in supply chain attacks, with eight incidents in the previous year.
In response to the growing threat, the NSW government has pledged $87.7 million to Cyber Security NSW over four years, building on the $20.3 million invested last year. The Department of Customer Service, which oversees Cyber Security NSW, said that the government requires agencies to manage cyber risks from third-party providers, including embedding security requirements into contracts and conducting vendor risk assessments. However, the rise in third-party incidents is paralleled by a finding that two-thirds of agencies have not yet met required protection standards, meaning most remain below the minimum state-mandated cyber security baseline.
This surge in third-party incidents comes after a recent data breach at NSW Health, where the personal and professional data of nearly 600 medical staff was accidentally leaked online due to a website configuration error.
Why it Matters: The quadrupling of third-party cyber incidents in the NSW government highlights a critical vulnerability in Australia's public sector: the digital supply chain. As government agencies increasingly rely on external vendors for services, their exposure to cyber threats grows exponentially. This is not just an IT issue; it's a matter of public trust and national security. The recent NSW Health data breach, while not a third-party attack, demonstrates the devastating consequences of security failures.
As James Corera, Director of the Cyber, Technology and Security program at ASPI, notes,
"Australia is no stranger to cyber disruption. Ports, hospitals, universities, telecommunications providers and supermarkets have all been targeted in recent years. More of the same should be expected. Each incident highlights the same truth: cyber threats spread in minutes, ignoring borders of geography, sector or institution. And in each instance, hesitation costs lives and livelihoods. That is why trust and speed matter."
The government's increased investment in cybersecurity is a necessary step, but the challenge lies in ensuring that security standards are rigorously enforced across the entire supply chain. The effectiveness of these measures will determine whether NSW can successfully defend against the escalating wave of supply chain attacks.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Sydney-based real estate firm The Property Business has been hit by the Kairos ransomware group, with 164GB of data reportedly stolen. The attack highlights the growing threat to Australia's property sector, which holds sensitive client financial and personal information.
The U.S. has charged Ukrainian national Volodymyr Tymoshchuk for his role in the LockerGoga, MegaCortex, and Nefilim ransomware attacks that targeted over 250 American companies and hundreds more worldwide. The State Department is offering a $10 million reward for information leading to his arrest.
Australia has gone all-in on quantum, betting billions on PsiQuantum’s Brisbane facility while building alliances and spin-outs from Sydney to Chicago. With defence contracts, investor momentum and Five Eyes strategy at stake, Canberra’s gamble is to lead, not follow, in the quantum race.
A software misconfiguration in a Texas government online grant system has exposed the personal data of over 44,000 natural disaster victims. The breach, discovered in late July, revealed names, Social Security numbers, and financial information, highlighting ongoing security gaps in state systems.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
