Introduction
In a recent cybersecurity incident that made national headlines, more than 100,000 sensitive parliamentary emails and documents were handed over to a private company that had already been hit by a massive cyberattack. What should have been a routine transfer of information instead became a textbook case of how third‑party risk and poor data‑handling practices can silently expose confidential information.
For small‑to‑medium businesses, this story isn’t just “government drama”—it’s a warning that could easily apply to your own IT environment.
What Actually Happened
A government department sent a large batch of private emails and documents to a law firm, which was acting as a contractor for ongoing legal or investigative work. The data was transferred electronically, bundled into encrypted or password‑protected files, and handed over in what appeared to be a standard, lawful process.
The problem? The law firm had already been compromised in a prior cyberattack. That meant the sensitive communications—potentially including national‑security‑related information, internal briefings, and confidential correspondence—were now sitting in a contractor’s systems that had already been breached by overseas cyber‑criminals.
This is less of a “phishing email” incident and more of a third‑party data‑handling failure—a type of risk that grows bigger as organisations outsource more services, cloud storage, and support.
The Hidden Risk: Third‑Party Vendors
Most small and medium businesses outsource at least part of their IT—whether it’s email hosting, cloud backups, legal or accounting services, or managed‑IT support. That’s not wrong; but it does introduce a new attack surface.
When you hand data to a contractor, you’re effectively saying:
“We trust your security controls.”
“We assume your systems are not already compromised.”
“We believe you’ll protect our data the same way we do.”
Unfortunately, that assumption is often wrong.
In the parliamentary case, the law firm had been breached months earlier, and the level of remediation and transparency wasn’t enough to fully protect the sensitive data that arrived later.
How Your SMB Can Avoid the Same Trap
Here’s how to turn this high‑profile incident into concrete protection for your own business:
1. Vet vendors before sharing anything
Before you send any sensitive data to a third party, ask:
Do they have written security policies?
Are they insured for cyber‑related incidents?
Have they suffered any recent breaches you should know about?
If the answer is “no” or “we don’t know,” you should think twice before sending anything confidential.
2. Encrypt and tightly control access
When you must share data with a contractor:
Use encrypted transfers (encrypted email, secure portals, or S‑FTP).
Set time‑limited access (for example, read‑only links that expire after 7 days).
Avoid “unlocked” file shares or generic cloud folders where anyone on the vendor’s team can see everything.
This limits the damage if the vendor’s systems are later breached.
3. Assume your contractors are targets
Professional services firms, legal teams, and IT providers are high‑value targets because they hold data for many clients.
Check that they enforce multi‑factor authentication.
Confirm they patch systems regularly and have basic incident‑response plans.
If your vendor doesn’t treat cybersecurity seriously, you’re increasing your own risk.
4. Keep critical data in‑house where possible
For SMBs, the safest model is often:
Core business data and email archives stay under your own control.
Contractors only receive what they need, when they need it, in a controlled, time‑bound way.
This reduces the number of places where your data could be exposed if one vendor is compromised.
Why This Matters for Perth SMBs
Local Perth businesses—especially those in legal, healthcare, finance, or professional services—regularly share sensitive client information with external partners. If you email confidential documents to a law firm, accountant, or outsourced IT team without understanding their security posture, you’re running the same kind of risk the parliament did.
The good news is that small‑business‑level controls can go a long way: dedicated email security, multi‑factor authentication, and a clear vendor‑onboarding checklist can stop many of these incidents before they start.
Final Thought
No business is “too small” to be targeted, and no vendor is automatically “safe” by default. The 100,000‑email incident shows that once data leaves your own environment, it’s only as secure as the weakest link in the chain.
If you’re not sure how your current vendors handle your data—or what would happen if one of them was breached—now is the time to ask.
Want a quick check of your vendor‑security and data‑sharing policies?
Drop a comment or message us, and we’ll help you tighten up your third‑party risk the way a Perth‑based MSP would.



