Customers, workers left in the dark on personal data after Barnett's cyber attack

The long-standing interstate courier business closed earlier this month, two weeks after standing down staff.

"Although we have been working tirelessly with leading IT consultants to restore our systems, regrettably we have been unable to overcome these challenges and we have made the difficult decision to cease operating Barnetts Couriers," an automated email sent in reply to inquiries reads.

"We want to thank you, our customers, for the loyalty you have shown to our business for over 40 years."

Since then, staff, their union representatives and customers have struggled to find out more about the attack and what it might mean for their personal data held by the company, potentially putting Barnett's in breach of Privacy Act requirements.

Richard Olsen, Transport Workers Union NSW/QLD state secretary, said the union was unable to get any information from the business.

"The Transport Workers Union of NSW (TWU) has not received any updates from Barnetts Couriers regarding the cyberattack and the subsequent closure of the business,'" he said.

"Despite numerous attempts to reach out to the managers and owners of the company, the TWU has been unsuccessful in establishing contact."

In the fortnight since the company told staff it had closed, some former employees have found new roles, while others are waiting to see what happens with outstanding pay and entitlements.

Workers who spoke to the Mercury said they had been verbally assured their details were safe, including bank details, drivers licences and other personal information, but given the significance of the reported cyber attack, they were left with questions.

"We don't know," one said.

"No one's given us any answers."

Long-term customers are also in the dark.

Megan Waud is the owner-director of Ironbark Metal Design, and had used Barnett's Couriers for years to ship to addresses up and down the east coast and ACT.

After the company's systems went down in mid April, Barnett's was still able to take orders over the phone, however information had to be repeated that would normally be on file.

But subsequently there was no further communication from the company about the outage that affected their operations, with Ms Waud only finding out about the company's closure after inquiring about a duplicate bill sent last week.

"As a responsible business operating for 40 years, the least they could do is communicate with customers," Ms Waud said.

Ms Waud is also concerned that her company's information could be accessible to the cyber criminals who crippled Barnett.

"Could communications with customers have left [customers] open to cyber attack?"

Under the Commonwealth Privacy Act, businesses with an annual turnover of more than $3 million must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach occurs.

As a privately owned company, Barnett's Couriers accounts are not public, and a spokesperson for the OAIC did not respond to specific questions about Barnett's Couriers and whether a report had been made.

The penalties available under the Privacy Act can go up to $50 million for a corporation.

After the initial report of a cyber attack, neither the Australian Federal Police or NSW Police had received a report of an attack and were not investigating.

Barnett's has been contacted for comment.