EXCLUSIVE : Victoria Police will probe a massive data breach that has hit the state government, with the personal medical information of hundreds of staff circulating on the dark web.

The breach, revealed by the Herald Sun last night, has been referred to police by the government today.

The Department of Premier and Cabinet confirmed this afternoon that multiple government agencies were caught in the breach.

MAJOR DATA BREACHES: CYBER THREAT IN AUSTRALIA GROWS

DATA SECURITY: BREACHES HAPPENING EVERY DAY

MORE LAW AND ORDER

“The Department takes these issues seriously and is working with agencies to ensure data security is heightened to reduce the potential for any additional breaches,” a spokeswoman said.

Leading cyber security service IDCARE has also been tasked by the government to advise on “effective response and mitigation to the issue”.

The Herald Sun revealed last night at least 10 gigabytes of text-only information appears to have been stolen from state government networks, relating to agencies including the CFA, Emergency Management Victoria, Parks Victoria and the Department of Environment, Land, Water and Planning.

The data breach is understood to have taken place in October.

The Herald Sun contacted several affected agencies about the matter on November 7 but received blanket denials about cyber security issues.

But on Friday night, the Herald Sun became aware that some files stolen from inside the state government had become available on the open web.

More data was also circulating on the dark web — a hidden part of the internet surfed by hackers, where private information is often sold and traded.

Files seen by the Herald Sun include the names of thousands of emergency services personnel, including CFA volunteers and police officers.

media_camera Victoria’s emergency services have suffered a massive data breach, with the personal medical information of hundreds of staff circulating on the dark web. Generic picture: iStock

Some of the data lists medical conditions they are suffering and how these ailments affect their duties. In some cases, people’s home addresses were detailed.

Information about the state’s critical infrastructure — including incident control centres and communications towers — is also believed to have been breached.

There is understood to be hundreds more files involved which the Herald Sun has so far been unable to access.

Agencies contacted by the Herald Sun earlier this month indicated they were not aware of any data breach.

At the time, a DEWLP spokesman said the agency had reviewed its cyber security systems after the Herald Sun’s inquiries and confirmed “there have been no reported data breaches”.

The spokesman had said an investigation would be carried out “to confirm whether any breach has occurred and seek to rectify any issues that are identified”.

As of Friday night, it is understood DEWLP and Parks Victoria had not identified a breach from their systems.

A CFA spokeswoman said they were investigating the issue and would implement “any security protocols necessary to ensure the protection of personal data”.

tom.minear@news.com.au