At CMM Quay Legal Group we take privacy and security seriously. Our privacy policy can be found at:

CMM Quay was recently the subject of a cyber ransomware attack. Therefore electronically stored information on the CMM Quay database may have been accessed by an unauthorised party.

We set out below details of the cyber-attack, what we have done and what we are doing to safeguard the information we hold.

We also make suggestions as to steps you can take to protect yourself.

What information do we hold electronically?

Like all legal firms, we hold information provided to us in the course of clients’ legal transactions and for providing legal advice.  We also hold information provided to us to be able to manage our business. This information includes:

  • Names and contact details
  • Details of legal transactions
  • Bank account numbers used in transactions (we do not hold passwords or security questions/answers)
  • Copies of passports, licences and personal certificates
  • Copies of safe custody holdings, such as wills

What we have discovered and done to date

On 9 December 2021 at around 9:00 am AEDT, CMM Quay became aware that its computer network had been compromised by a cyber ransomware attack which took place at around 12:30 am AEDT that morning. Essentially hackers locked our computers so that we could not use them to work, demanding a ransom to unlock them.

We immediately disabled all external access to our network, and our IT and cyber security experts (our experts) scanned all our computers for malicious software.

Investigations by our experts revealed that the hackers entered our network via the Exchange (email) Server. If that is the case, the hackers could have sent emails purporting to be from CMM Quay. It should be noted that CMM Quay personnel did not send emails after approximately 10:30 pm AEDT on 8 December 2021, the evening before the attack, and that CMM Quay emails only became operational again at 3.45pm AEDT yesterday, 15 December 2021.

To date there is no evidence that electronic information of clients was extracted in the ransomware attack. While no other malicious software was found, CMM Quay data was put back to the position it was in, before the cyber-attack occurred.  Also, our computers are presently being constantly scanned for malicious software.  We are continuing our investigations in relation to the compromise of data and associated sensitivities, and as to how to prevent reoccurrence.

Of course, we have reported the cyber-attack to the Australian Cyber Security Centre (ACSC).

What you should do

DO NOT reply to suspicious emails from CMM Quay, including emails that ask you to click on a link or to provide unexpected information.

DO NOT open suspicious attachments to emails from CMM Quay, particularly if they are not expected as part of a transaction.

It is unlikely that we will change our banking or contact details. If you receive an email from CMM Quay providing new bank or contact details, DO NOT action it without first calling our office.  In fact, you should ALWAYS contact our office if we have provided bank details, to check they are correct.

You may call your usual CMM Quay contact or our office on our office phone number, to verify any email, but DO NOT use the contact details within a suspicious email. Only use a means of contact that you can independently verify.

Our office phone number is below, but for added security, it can be found at or at

Our lawyers’ email addresses can also be found at

Please feel free to contact us with any questions by:

  1. reply to this email; or
  2. phoning our office manager, Mary Tullis, on our office phone number.

We reiterate that CMM Quay takes privacy and security seriously, and while we employed reasonable preventative measures, we are working on more measures to be put into place.

Recommended steps

For added precaution, CMM Quay recommends that you take the following steps to reduce the likelihood of harm occurring:

  1. Monitor inbound and outbound emails of both work and personal email addresses for unusual activity;
  2. Monitor bank accounts for suspicious transactions.  You may also wish to contact your bank for added security;
  3. Reset access passwords;
  4. Be vigilant for any unusual contact from unknown individuals or entities requesting information; and
  5. Again, if you are unsure of an email purporting to come from CMM Quay, phone our office to verify it is genuine.

Further helpful information and contacts

Office of the Australian Information Commissioner (OAIC)


Privacy Hotline on 1300 363 992

Web site:

Address:  The Australian Information Commissioner

GPO Box 5218

Sydney NSW 1042

Australian Cyber Security Centre

Cyber hotline:  1300 292 371 (1300 CYBER1)

Website: for general information concerning data security breaches.


General enquiries
PO Box 5076
Kingston ACT 2604



Josephine Muscolino
Principal Lawyer and Notary Public