Exclusive: Over 100,000 sensitive parliamentary emails and documents were transferred to a private company that had previously suffered a significant cyber breach by Russian hackers, despite warnings labeling the move as an “extreme” risk.

9News, The Age, and The Sydney Morning Herald have uncovered that the second-highest-ranked official in federal parliament instructed her department to conduct a comprehensive search of all emails, Microsoft Office files, and Teams chats spanning a 10-month period in 2023. This was part of an investigation into alleged misconduct by senior colleagues, including her superior at the time.

Jaala Hinchcliffe, who was the deputy secretary of the Department of Parliamentary Services (DPS) at that time, directed the IT team on two occasions to allow the department’s legal representatives, HWL Ebsworth, access to parliamentary communications.

In one instance, a private contractor received full administrative rights to the DPS’s entire computer network, despite cybersecurity experts within the department warning that this could lead to the unlawful exposure of sensitive information, potentially affecting national security.

The DPS cybersecurity team was particularly concerned about the unfiltered data being handed over to HWL Ebsworth, especially after the company fell victim to a massive cyberattack in April 2023 by a ransomware group operating out of Russia.

During that breach, 3.6 terabytes of data were stolen from HWL Ebsworth. The firm counts numerous government agencies among its clients, including Home Affairs, Defence, the Australian Federal Police, and the Department of the Prime Minister and Cabinet.

Computer networks are used by federal MPs and senators and their staff to conduct their work, some of which has legal protection and immunity under so-called parliamentary privilege.

Federal politicians have told 9News, The Age and The Sydney Morning Herald they fear confidential communications may have been potentially compromised.

“If this investigation has breached that parliamentary privilege, well, then that confidentiality has been breached also, and that’s really a threat to the democratic processes that we rely upon,” Liberal senator Jane Hume said.

Greens senator Steph Hodgins-May said it was a “huge breach of trust from a government department that, frankly, doesn’t pass the pub test”.

Hinchcliffe was investigating the propriety of a $315,000 “incentive to retire payment” to former department deputy secretary Cate Saunders, who had a personal relationship with Rob Stefanic, the DPS secretary until December 17 last year, when he was sacked.

Stefanic was dismissed by Senate President Sue Lines and the Speaker of the House of Representatives, Milton Dick, citing a loss of trust and confidence.

Hinchcliffe became acting secretary in November and was appointed formally to the role in March this year.

The National Anti-Corruption Commission (NACC), which is currently investigating the payment to Saunders, raided parliament on October 3 last year.

But four months before the NACC raid – and a month before DPS asked barrister Fiona Roughley to begin a separate “fact-finding” probe – Hinchcliffe had begun her own investigation into Stefanic, her then boss, and the payment to Saunders.

She asked the department’s IT team to search for communications between February and November 2023 involving 10 people, including Stefanic, Saunders, the Australian Public Service Commissioner Gordon de Brouwer and senior staff, as well as seven key words or terms: including incentive to retire, ITR, Secretary, APSC and Commissioner.

According to documents seen by 9News, The Age and The Sydney Morning Herald, the search generated more than 108,000 emails and 44,000 Microsoft Office 365 records – many more if duplicates retrieved from multiple computer systems were included.

This data was sent to HWL Ebsworth in July last year.

But Hinchcliffe was not satisfied.

She told the IT department the next month that counsel for the department believed potentially relevant materials had been “inadvertently excluded” from the data.

She requested another search but this time conducted by a data analyst contracted by HWL Ebsworth.

A risk assessment conducted by the IT and cyber section of DPS concluded Hinchcliffe’s request carried “extreme” risk on two fronts: the potential breach of confidentiality, including matters of national security; and the potential release of material subject to parliamentary privilege.

Hinchcliffe was sent the advice on September 4 but 9News, The Age and The Sydney Morning Herald has been told she neither approved, rejected or sought further details on the advice.

The next month DPS IT was directed to give HWL Ebsworth’s contractor full systems administrator access to the department’s computer systems, data and networks, which occurred over two to three days.

In a statement, DPS said HWL Ebsworth “provided suitable assurances to facilitate the provision of this information, with mechanisms and protocols established to manage all data”.

Queensland LNP Senator James McGrath said he would be concerned if sensitive communications were shared beyond the parliamentary network.

“If public servants have released emails to a third party against a risk assessment which advised them not to release those emails, then heads should roll,” McGrath said.

Hume said that DPS, in pursuing alleged misconduct, may have breached confidentiality.

“The idea that the department would potentially share information that was already privileged with a third party, and that that third party had had a cyber breach only 12 months before that, to me, sets off alarm bells,” she said.

Hodgins-May said that while it was important to investigate potential wrongdoing, “methods absolutely matter”.

“What we’ve seen is a dragnet that’s trolled through and captured over 100,000 emails, sweeping up correspondence between even junior staffers with no suggested involvement in this, and then handing it over to a third party,” she said.

DPS said Roughley was provided with access to DPS information relevant to the scope of her investigation.

“No Parliamentarian or Parliamentary data was provided to Dr Roughley,” the department said.

“DPS can confirm that legal advice and other contracted services were sought from national law firm HWLE Lawyers to support Dr Roughley’s fact-finding investigation, and DPS’s engagement with relevant Commonwealth agencies, including the NACC.”

Before joining the Department of Parliamentary Services, Hinchcliffe was deputy commissioner at the National Anti-Corruption Commission and a former Australian Commissioner for Law Enforcement Integrity.