Court Transcripts offshored without authorisation

Third-party vendors are having a bad month. Court transcripts offshored without authorisation, a fintech platform leaking 444,000 borrowers' data, and mandatory ransomware reporting is now in full enforcement. Here's what matters.

🔐4 things law firm leaders should know right now:

1. Australian court files exposed after transcription vendor offshored data to India. VIQ Solutions, which provides transcription services for the Federal Court, Family Court, and state tribunals across Australia, subcontracted work to Indian firm e24 Technologies — in direct breach of its Commonwealth contracts. Thousands of highly sensitive case files were accessed by unvetted overseas staff, including matters involving domestic violence, child abuse, national security, and covert police operations. VIQ staff raised concerns as early as August 2025 and were told to stop spreading "rumours." Senator Shoebridge called it a national security risk. For law firms: if your matters are transcribed by a third-party provider, do you know where your data actually goes?

2. Fintech platform youX breached — 444,538 Australian borrowers exposed. An unsecured MongoDB database left 141GB of data accessible for at least 10 months, including 229,236 driver's licences, 629,597 loan applications, and records from nearly 800 broker organisations and 90+ lenders. A security researcher warned youX about the vulnerability in March 2025. It wasn't fixed. ASX-listed companies are now filing disclosure notices due to downstream exposure. For law firms handling finance, property, or asset work: your client data may sit on platforms you've never audited.

3. Mandatory ransomware payment reporting is now in full enforcement. Phase 2 of Australia's Cyber Security Act 2024 kicked in on 1 January 2026. If your firm turns over $3M+ and pays a ransom, you have 72 hours to report it to the ASD. The education-first grace period is over. The fine is $19,800 (up to $99,000 for body corporates from June 2026), but the real risk is reputational. If your incident response plan doesn't include a ransomware reporting workflow, it's not fit for purpose.

4. 85 Yr old Hazeldenes Poultry Processor hit by cyberattack — production shut down. One of Australia's largest poultry processors confirmed a cyber incident on 19 February, taking systems offline and disrupting supply across Victoria. It's a reminder that ransomware doesn't just hit tech companies. Any business in your supply chain — or your client's supply chain — is a potential vector. Know who holds your data and who holds theirs.

🔧Tool: Have I Been Pwned (haveibeenpwned.com). Free. After the youX breach, check whether your firm's email domains have appeared in known data breaches. You can set up domain-wide notifications so you're alerted automatically when staff credentials surface in new leaks. Most firms I speak to have never done this.

💡Tip: The VIQ breach is a masterclass in third-party risk. Review your contracts with any vendor that handles client data — transcription services, eDiscovery platforms, cloud storage, managed IT. Ask two questions: (1) Can they subcontract without your knowledge? (2) Where is the data physically processed? If you don't know the answers, that's your action item this week.

📖Resource: Thinking about what your firm would actually do in the first 72 hours of a breach? I'm running a CPD-accredited webinar — "Navigating a Cyber Breach: A Live Decision-Making Experience" — where you'll work through a real-time ransomware scenario using my Colour Code Method™. It's built specifically for legal sector leaders. Details coming soon — reach out if you'd like early access.

💬Quote: "This looks like it's been very much 'set and forget' from the Federal Court going back over years, relying on the blank assurances being given by a private operator." — Senator David Shoebridge, February 2026, on the VIQ Solutions breach

If any of this raised a governance or vendor risk question for your firm, happy to compare notes →[Cyber Chat]

— John