- A ransomware group, Nova, listed the NSW Government on its dark web blog, claiming to have over 200GB of sensitive government data in their hands.
- The NSW Government pushed back, saying the sample files the group released are historical records that anyone can find on public government domains.
- Security researchers warn that ransomware groups sometimes fabricate or exaggerate breaches to pressure victims into paying without verifying the claims.
A ransomware group just put the New South Wales government on blast, claiming to have stolen over 200GB of sensitive data from a government network. The group, known as Nova, published the alleged breach on its dedicated dark web blog and set a countdown timer threatening to release the full dataset. The NSW Government, however, is not buying it.
NSW chief cybersecurity officer Marie Patane told Information Age that there was no evidence of any sensitive information being accessed at the time of writing. According to Patane, Cyber Security NSW was aware of the query and had already directed public sector agencies to look into it. She added that the only sample files the group provided were historical information that was already publicly available.
Nova’s post carried a pointed message for the government. According to the group’s listing, they urged the target to make contact for a deal, warning that any leak could expose the organization to legal consequences and damage public trust.
Nova Claims a Buyer and Demands Negotiation
Nova’s dark web post included a sample of the allegedly stolen data, consisting of three files tied to emergency response projects from the early 2010s and four PDFs showing topographic maps of rural NSW localities.
Information Age independently located four of those files through publicly available government domains, raising immediate questions about the credibility of the breach claim.
Despite the underwhelming sample, Nova claimed the full dataset had already attracted serious interest. According to the group’s post, a buyer had offered close to 704,000 USD for the data.
Nova stated it was not ready to sell yet and was still seeking direct negotiation with the government. At the time of reporting, the countdown timer on the group’s blog sat at approximately 13 days and four hours.
Nova operates on a ransomware-as-a-service (RaaS) model, where affiliates deploy the gang’s ransomware in exchange for a share of any extorted payments. The group has published 140 leak posts since April 2025, and the NSW Government listing marks its first Australian target.
Fake Breaches Widespread Tactics in the Ransomware Playbook
Mandy Turner, adjunct lecturer in cyber criminology at the University of Queensland, explained that ransomware groups rely heavily on their reputation. Their entire leverage depends on victims believing that hackers have genuinely broken into their systems, stolen the data, and will release it if the ransom goes unpaid.
Turner noted, however, that some groups or actors posing as known threat groups have exaggerated or completely fabricated breaches in the past. According to Turner, they sometimes repackage previously leaked datasets or publicly available information and present it as freshly stolen data.
She said this tactic serves two purposes: it builds their standing among other ransomware operators and affiliates, and it pressures potential victims into paying before they can verify whether a real breach occurred.
Similar tactics may be at play in a claim against the French Fishing Federation, where a hacker alleges a breach affecting 1,600 members, though the data’s authenticity remains unverified.
Nova also maintains a list of banned affiliates, most of whom appear to be members of Russian-speaking hacking forums removed for violating the group’s internal policies. According to a note Nova published in Russian, any participant on that list should face bans across all RaaS providers, or else the group risks losing the trust of the broader criminal ecosystem.
NSW Public Sector No Stranger to Breaches
The NSW Government has dealt with at least seven data breaches tied to public services since 2020. The most recent incident, in April, involved a public servant who allegedly removed thousands of government documents spanning multiple departments and projects.
When asked whether existing penalty frameworks were doing enough to address the problem, Turner said penalties alone do not necessarily make a system or its processes more secure.
She acknowledged that government data breaches carry national security implications, can damage public trust, and expose affected individuals to identity theft risks. Still, Turner noted the NSW Government appeared to be focused on continuous improvement rather than reactive measures.
According to Turner, the government is working to build cyber resilience, strengthen reporting mechanisms, and maintain transparency with the public. She described it as a careful balance between incentives and consequences, and said the government was making genuine efforts to keep improving its approach.
