NSW Treasury Insider Allegedly Took 5,600 Files — What Wealth Managers Should Learn

NSW Police arrested a 45-year-old Treasury staffer on Monday after internal monitoring allegedly detected the transfer of more than 5,600 confidential commercial and financial documents to an external server. As reported by Cyber Daily, the alleged exfiltration happened between 10 and 14 April, was reported on 19 April, and led to charges under the Cybercrime Squad’s Strike Force Civic the following day. The NSW Government has confirmed the incident and says the data has been recovered.

This wasn’t a Russian APT or a ransomware crew. It was a public servant with legitimate access. Wealth managers, financial planners and accounting firms hold the same kind of data the alleged offender went after — client tax returns, statements of advice, trust account records, beneficiary details — but with far thinner monitoring than NSW Treasury. Under APP 11 and the looming statutory tort for serious invasions of privacy in the Privacy Act reforms, an insider walking out with a client list is a notifiable breach, and the OAIC has been clear that “we trusted them” is not a defence. Insider incidents account for a meaningful share of OAIC notifications every quarter, and they tend to involve more sensitive records than the average external attack.

Three quick wins. First, turn on data loss prevention (DLP) on email and cloud storage so large or unusual exports get flagged automatically. Second, review who actually needs bulk download rights to client folders and revoke the rest — most staff need to see records, not extract them in batches. Third, make sure offboarding revokes access on the day someone resigns, not the week after. If you’ve never run a “what would we see if a staff member tried to copy the client book” exercise, schedule one this quarter.

We work with Australian financial advice and accounting firms on exactly these controls — DLP, conditional access, and access reviews. Have a look at our financial services IT page or get in touch if you’d like a second set of eyes on insider risk.