Exclusive: Hacker uses Productivity Commission breach to bully journos

The email also featured what appeared to be a link to a threat forum page for the growingly infamous threat actor 2019.

Hollingworth’s email mentioned his name, suggesting the emails were targeted. Cyber Daily understands that other Australian media also received emails of the same kind from the noreply email address.

A day later, on 10 June, the Productivity Commission confirmed the incident, stating that it was aware of the issue and had launched an investigation into the matter.

“On 9 June 2026, some members of the public received unsolicited emails from a Productivity Commission email address. Some of these emails contained identifying information that the sender implied had been taken from PC records,” the Productivity Commission said.

“As a result of our initial investigation into this issue, we have determined that an external third party is the source of these emails. During our review, we found no evidence that any of the identifying information used in the emails has come from the PC. The PC website does not store personal data in a way that would expose user emails, and many of the affected individuals have had no prior engagement with the PC.”

The Productivity Commission added that a vulnerability was identified and had now been patched.

VIEW ALL

“We now know that a previously undetected vulnerability on the PC website was exploited by the third party to send emails that appeared to originate from a PC email address. This vulnerability has been identified and remediated,” it said.

The Productivity Commission said it has reported the incident to the Australian Cyber Security Centre (ACSC) and has taken steps to prevent further emails.

Strangely, 2019 has not listed the Productivity Commission or made any public claims of an incident against it, making their motivation unclear.