Australian Court Files Exposed in Deliberate Breach of Data Sovereignty

On 20 February 2026, Canadian transcription services provider VIQ Solutions confirmed it had subcontracted work to an Indian firm, e24 Technologies, in direct violation of its Commonwealth contracts. The subcontracting exposed thousands of highly sensitive Australian court files to a foreign entity with no legal authorisation to access them.

The files came from the Federal Circuit and Family Court, which handles domestic violence and child abuse cases, and the Federal Court, which hears national security and major corporate matters. Courts across NSW, Victoria, Queensland, WA and SA were affected.

VIQ Solutions is a publicly traded company that provides AI-driven transcription services to courts and tribunals across Australia and internationally. Its Commonwealth contracts explicitly prohibit the offshoring of data. Despite this, internal documents obtained by ABC News, which broke the story on 16 February, show staff at e24 Technologies with Indian email addresses accessing the files.

What makes this worse: VIQ employees raised concerns about the offshoring as early as August 2025. Management dismissed them.

What Was Exposed

The files included documents from some of Australia's most sensitive proceedings.

• Domestic violence and child abuse cases from the Federal Circuit and Family Court

• National security and major corporate matters from the Federal Court

• Evidence potentially involving ASIC, the Australian Federal Police and intelligence agencies

Greens senator David Shoebridge described it as a national security risk, noting that "incredibly sensitive evidence from organisations like ASIO, the Australian Federal Police, is given in private court because it could be addressing links to international criminal organisations, potential foreign interference in the country."

VIQ has acknowledged the incident is "reasonably likely to have a material impact" on its financial condition, with Australian operations representing a significant portion of its revenue.

This Was Not A Cyberattack

The VIQ breach did not happen because of a sophisticated attack or an unknown vulnerability. It happened because a company made a deliberate decision to offshore sensitive data for cost reasons, in direct violation of its own contracts.

This is a vendor governance failure. And it raises a question every government agency and regulated organisation should be asking right now: how confident are you that your vendors are doing what they say they are?

Signing a contract and assuming compliance is not governance. The moment you hand sensitive data to a third party, you are responsible for what happens to it, including what that third party does with it next.

The Australian government is under pressure to review VIQ's contracts and determine the full scope of the breach. The courts involved are conducting their own investigations. Senator Shoebridge has called for the contracts to be terminated.

For the people whose cases were affected, including domestic violence victims and national security witnesses, there is no straightforward way to know exactly what was accessed or by whom.

Why Data Sovereignty Matters

The VIQ breach was not inevitable. It was a deliberate choice to cut costs, and a decision to ignore the people inside the company who raised concerns about it.

Signing a vendor contract is not the same as managing vendor risk. Once you hand sensitive data to a third party, what happens to it is still your problem.

Data sovereignty matters here. When data crosses the border, Australian law no longer protects the people it belongs to. The individuals whose court files ended up in India had no idea that was happening and no way to stop it. VIQ's contracts explicitly prohibited offshoring. That still was not enough.

The only reliable way to know your data stays onshore is to work with an organisation that operates entirely within Australia, with no subcontractors in other jurisdictions and no offshoring to cut costs.

Secure ISS operates that way. Our security operations centre, our analysts and our systems are all onshore. Data we handle stays under Australian law, monitored by people accountable under that law. That is how we think security operations should work.

If your organisation relies on third-party vendors to handle sensitive data, continuous vendor assurance is not a nice-to-have. Secure ISS provides governance, risk and compliance services and security monitoring built for the Australian market. Get in touch with us today.