Cyber Incident

Updated 3 May 2026

Kingborough Council was made aware on Thursday 30 April of a potential cyber incident. Access was immediately removed and an investigation was commenced, including engaging experts from across the cyber security industry to understand the nature and extent of the issue. 

The personal information primarily included:  

• Property addresses  
• Associated owner and occupier names  

At this stage, ongoing investigation indicates that a small number of records may have also included email addresses. No phone numbers have been identified.  

The data did not include financial details, identity documents, dates of birth, or other sensitive personal information 

Council treat matters of cyber security seriously and are currently reviewing these developments and the information provided as a priority. At this stage, our work is ongoing and we will provide further updates as they become available. 

Council is working with experts from across the cyber security industry to assist in responding to the incident and to help ensure that all appropriate action is taken. Council have also notified the Australian Cyber Security Centre (ACSC), Tasmanian Department of Premier and Cabinet, Tasmania Police and the relevant government agencies. 

“I understand the community’s concern, and I want to be clear that this matter is being taken seriously,” said CEO, Dave Stewart. 

“The information involved was limited, access has been removed, and there is no immediate evidence of misuse. 

“We are undertaking a forensic investigation and will communicate openly when we have further information. 

“I sincerely apologise for any concern that this has created in our community.” 

Our approach

Council is committed to being open and transparent with the community as this situation unfolds.

We are providing updates in real time through this page to ensure the community has access to the most current information available, while the investigation is ongoing.

At the same time, we recognise the importance of providing clear, accurate, and complete information once all facts are known.

Once the cyber investigation has concluded, Council will issue a formal letter to all affected members of the community.
This will ensure that:

• Everyone receives consistent and confirmed information
• Any findings from the investigation are clearly communicated
• Appropriate advice and next steps are provided

This approach balances the need for transparency now, with the responsibility to provide accurate and verified information once the investigation is complete.

Current status

• The data is no longer publicly accessible
• There is currently no evidence of misuse
• No Council systems were compromised
• A forensic investigation is ongoing to understand the extent of access and exposure

Council will continue to update this page as more information becomes available.

________________________

Q&A (update 3 May) 

Cyber Incident: 

What has happened? 

Kingborough Council identified that data containing property, ownership and occupier information was temporarily accessible online. 

Once this was confirmed, public access was removed and the data is no longer available. 

The data wasn’t accessible through Council’s public maps by simply selecting properties on our website or browsing the Council’s maps. The data sat behind our mapping system and accessing it would have required a level of technical knowledge beyond typical website use. 

Investigations are ongoing to fully understand how the data may have been accessed during this period. 

Who has this affected? 

The data relates to all residential property owners and occupiers within the Kingborough Municipality. 

Investigations are ongoing to better understand the level of exposure. 

What was accessed? 

The personal information primarily included: 

• Property addresses 

• Associated owner and occupier names 

At this stage, ongoing investigation indicates that a small number of records may have also included email addresses. No phone numbers have been identified. 

The data did not include financial details, identity documents, dates of birth, or other sensitive personal information. 

Property ownership information of this kind is not unique to Council and can be accessed through other means, such as purchasing property ownership details via the Tasmanian Government’s The LIST service. However, those services typically require individual property searches and do not include contact details such as email addresses or phone numbers. 

In this case, the dataset brought some of this information together in one place. 

No Council systems were compromised, and there is no evidence that data was altered. 

Council can confirm the data contained approximately 26,000 records representing properties across the municipality. A forensic investigation is underway, with further updates to be provided as more information becomes available. 

Council has identified the individuals whose email addresses have been included and will contact those affected directly. 

Advice for the community 

Based on current information, this appears to involve limited access to the data. 

Council will contact directly any individuals whose email addresses may have been included in the dataset. 

Anyone with concerns is encouraged to contact Council: 

• Email: kc@kingborough.tas.gov.au (subject: Cyber Incident) 

• Phone: 6211 8200 

Why did this happen? 

There is no evidence of malicious intent or a cyber-attack. 

The exposure occurred as a result of a technical configuration issue, not deliberate misuse or external intrusion. This is an isolated incident. 

The CEO has held initial discussions with Tasmania Police regarding the incident and appropriate next steps. 

Important advice for anyone who has accessed this data 

If you have accessed, downloaded, or been provided with this information, you should: 

• Delete the data in full 

• Not copy, share, or distribute the information in any way 

• Not use the information to contact individuals 

Unauthorised use or distribution of personal information may breach obligations under the Privacy Act 1988 and other applicable laws. 

How did we find this out? 

Council became aware of the issue on 30 April 2026 after it was brought to the attention of the CEO. 

An immediate investigation was commenced, and public access to the data was removed promptly to contain the issue. 

Once contained, Council engaged its cyber insurance provider, independent cyber security specialists, and legal advisors to support a formal investigation. 

Council is also working through its obligations to notify relevant regulatory bodies and will make any required notifications in line with applicable legislation. 

What guarantee do we have that this won’t be used maliciously? 

Council cannot provide an absolute guarantee.
However: 

• The dataset was limited in nature 

• Only a small subset of records may have included email addresses 

• No phone numbers have been identified 

• It did not include financial details, identity documents, or dates of birth 

There is currently no evidence that the information has been misused. 

Council is continuing forensic analysis to better understand access to the dataset. 

Have we fixed the issue? 

Yes. The immediate issue has been addressed: 

• Public access to the dataset has been removed 

• Initial checks confirm the data is no longer externally accessible 

• Specialist technical, legal and insurance support has been engaged 

These actions were taken promptly once the issue was identified. 

What are we doing to ensure this doesn’t happen again? 

Council is: 

• Conducting a forensic technical review 

• Reviewing change management processes 

• Strengthening internal governance around data management 

Further updates will be provided once the investigation is complete, in line with our commitment to transparency. 

Use and Risks of Exposed Information 

The information involved was primarily names and property addresses. Ongoing investigation indicates that a small number of records may have also included email addresses. No phone numbers have been identified.  

It did not include financial details, identity documents, dates of birth, or other sensitive data. 

On its own, this type of information presents a relatively low risk. While email addresses may increase the likelihood of unwanted contact, they are not sufficient to enable identity theft or financial fraud. 

However, any unauthorised access to personal information is a concern. In some cases, this information could be used alongside other data to support unwanted contact, such as scams or marketing. 

At this stage, there is no evidence that the information has been misused. 

Access to the data has been removed, and Council is continuing to investigate with support from technical and legal specialists. 

Council will contact directly the small number of individuals whose email addresses were included to ensure they are aware and supported. 

We encourage community members to remain vigilant and report any suspicious activity. 

If you have accessed or obtained this information, you should: 

• Not share, distribute, or publish the data 

• Delete any copies you may have saved 

• Not use the information to contact individuals 

• Notify Council to support the investigation 

While the Privacy Act 1988 (Cth) primarily regulates how organisations handle personal information, not individuals, any further use or distribution of this data may cause harm and could have legal implications under other laws. 

Council appreciates the community’s cooperation in handling this matter responsibly.