Cyber Security · Data Sovereignty
The Hidden Risks of Offshore IT Support: Why It Matters Where Your MSP Really Operates
Your MSP’s logo might be Australian. The people holding your admin credentials at 2am might not be. Here’s what that means for your data, your compliance and your legal recourse — with the cases to prove it.
By Stanfield IT · 6 July 2026 · 14 min read
Australian jurisdiction
Your data & admin access
OAIC · AFP · Australian courts
Offshore
Offshore service desk
Foreign legal orders
Different laws · limited recourse
Once support crosses the border, so does your effective security perimeter.
What are the risks of using an offshore MSP?
When a managed service provider runs its service desk or network operations centre from another country, your business data and privileged system access cross into foreign legal jurisdictions. The key risks are weaker or unverifiable staff vetting, exposure to foreign government access laws, help desks that attackers now actively target, near-zero legal recourse after an incident — and full liability staying with you under Australian Privacy Principle 8, even when the breach happens offshore.
Key takeaways
- ✓Offshoring is often invisible. Plenty of MSPs that market themselves as Australian route after-hours support, monitoring and ticket handling through offshore delivery centres — and rarely say so on their website.
- ✓Jurisdiction is the risk multiplier. Once your data or admin access sits offshore, the OAIC, the AFP and Australian courts lose practical reach over the people who hold it.
- ✓Liability boomerangs back to you. Under APP 8 your business generally remains accountable for what an overseas provider does with your data — with penalties up to the greater of $50 million, three times the benefit gained, or 30% of adjusted turnover.
- ✓The case studies are Australian. Qantas was breached in 2025 through a platform used by its Manila call centre. Medibank fell in 2022 via third-party credentials — and the man sanctioned for it remains untouchable in Russia.
- ✓Help desks are the new front door. Scattered Spider used voice phishing against help desks in almost every incident researchers observed in 2025.
- ✓Onshore isn’t automatically secure — but it keeps vetting, law and accountability inside one system you can actually enforce.
6 min
A cybercrime is reported in Australia every six minutes (ASD, FY2024–25)
$56,600
Average self-reported cost of cybercrime per report for small business — up 14% in a year
5.7M
Qantas customers whose data was stolen via a platform used by an offshore call centre in 2025
$50M+
Maximum Privacy Act penalty: the greater of $50m, 3× the benefit, or 30% of adjusted turnover
The quiet offshoring of Australian IT support
Walk through the websites of Australia’s larger managed service providers and you’ll see Sydney addresses, Australian phone numbers and local case studies. What you’ll rarely see is where the actual work happens. Phrases like “follow-the-sun support”, “global delivery centre” and “hybrid service model” are doing a lot of heavy lifting: they usually mean your level 1 and level 2 tickets, after-hours calls, network monitoring and routine administration are handled from delivery centres in the Philippines, India, South Africa or Eastern Europe.
The commercial logic is obvious — labour arbitrage lets a provider staff a 24/7 desk at a fraction of Australian wages. And to be clear from the outset: this is not a question of the talent or integrity of individual engineers in Manila or Pune, many of whom are excellent. It’s a question of what happens to law, vetting and accountability when the people holding your most privileged access sit outside the system you can enforce.
Because that’s the part most businesses miss. Your MSP is not just another supplier. It is almost certainly the most privileged external party your organisation has: domain administrator rights, remote management (RMM) agents on every device, the password vault, backup consoles, and the authority to reset passwords and multi-factor authentication for your staff. When any of that is exercised from another country, the location of your MSP’s desk isn’t a staffing detail — it is your effective security perimeter.
Where your after-hours ticket really goes
Your staff member
logs a ticket at 7pm
→
Australian MSP brand
local website & sales team
→
border
Offshore service desk
often a subcontracted BPO — different employer & laws
→
Admin credentials, RMM & password vault
= your entire network
Privileged access crosses the border even when the brand, the invoice and the contract look Australian.
Many businesses have never met — or been told about — the people who can reset every password they own.
Risk 1: Your data answers to foreign laws — and so do the people handling it
Data doesn’t carry Australian law with it when it travels. The moment your files, tickets, credentials or backups are accessible from another country, they fall within reach of that country’s legal system — its courts, its police, its intelligence services and its data-access laws. Some of those frameworks should give any Australian director pause.
China’s National Intelligence Law (2017) obliges Chinese organisations and citizens to support and cooperate with state intelligence work — an obligation that follows companies and personnel wherever a request arrives. Russia operates broad lawful-intercept and data-localisation regimes. And this is not only about adversary states: even the United States, a close ally, asserts extraterritorial access to data held by US providers under the CLOUD Act. The point isn’t xenophobia. The point is that jurisdiction is a control, and offshoring quietly removes it.
Meanwhile, the privacy regimes in common offshore delivery hubs are simply not equivalents of Australia’s. India’s first comprehensive privacy law was only passed in 2023 and its enforcement rules are still being phased in. The Philippines has had a Data Privacy Act since 2012, but an Australian small business has no realistic way to invoke it. Whatever protections exist on paper, you cannot practically enforce them from Sydney, Melbourne or Brisbane.
APP 8: the liability boomerang
Here’s the part that surprises most business owners. Under Australian Privacy Principle 8 and section 16C of the Privacy Act, when your business discloses personal information to an overseas recipient, you generally remain accountable for what they do with it. If your MSP’s offshore centre mishandles or leaks your customer data, the law can treat that as your breach. “Our provider’s subcontractor did it” is not a defence — it’s an admission.
And the stakes have never been higher. Since December 2022, serious or repeated privacy interferences carry corporate penalties up to the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover. Since 10 June 2025, individuals can also sue directly under Australia’s new statutory tort for serious invasions of privacy. The regulator has teeth, plaintiffs’ firms are active, and the accountability sits with the Australian entity — you.
The APP 8 liability boomerang
Your business
accountable under the Privacy Act
→
personal information disclosed overseas
Offshore provider
⚠ breach happens here
outside OAIC and court reach
← Liability returns to you: up to the greater of $50m, 3× the benefit, or 30% of turnover
APP 8 in one picture: you can outsource the work, but you can’t outsource the accountability.
Risk 2: Some jurisdictions shelter the people attacking you
It’s uncomfortable but well documented: several of the jurisdictions your data may pass through — or be attacked from — provide effective safe haven to cyber criminals. Russia’s constitution prohibits the extradition of its own citizens, and the world’s most prolific ransomware operations have run from Russian-speaking territories for years with near-total impunity.
Australia has felt this directly. The 2022 Medibank breach — 9.7 million Australians’ records, including sensitive health claims — began with the stolen credentials of a third-party IT contractor, sold on a Russian-language criminal marketplace. In January 2024, the Australian Government used its cyber sanctions powers for the first time, naming Russian national Aleksandr Ermakov over the attack, with the UK and US following. The result? A travel ban and asset freeze. No arrest. No extradition. He remains beyond the reach of Australian law, like Evil Corp’s Maksim Yakubets, indicted by the US in 2019 with a US$5 million reward on his head, who has lived openly in Moscow ever since. In February 2025, Australia went a step further and sanctioned an entire piece of criminal infrastructure — ZServers, a Russia-based “bulletproof” hosting provider that serviced the LockBit ransomware operation.
The MSP channel itself is a prized target for these groups. In 2021, the Russia-linked REvil gang compromised Kaseya — remote-management software used by MSPs — and rode that trusted access downstream into as many as 1,500 businesses in a single strike. One supplier, one weekend, three orders of magnitude of victims.
Why this matters for your MSP choice: when an incident traces offshore, the AFP has no unilateral powers abroad. Cross-border evidence requests move through mutual legal assistance processes that take months or years — long after the data is sold, the trail is cold and the actor is protected. The closer your operational stack sits to non-cooperative jurisdictions, the weaker every post-incident option becomes: investigation, recovery, prosecution and deterrence.
Risk 3: Vetting you can’t verify, and churn you can’t see
In Australia, an MSP can put every engineer through an AFP National Police Check, verify their identity and work rights against government systems, and be held to Australian employment and criminal law if something goes wrong. None of that framework extends offshore. Whatever screening an offshore centre performs happens under a different system, to a different standard, with no practical way for you — the client whose passwords they hold — to verify any of it.
Then add churn. Attrition in offshore BPO hubs routinely runs far higher than in Australian technical teams — industry analyses regularly put it above 30% a year. That means a constant rotation of strangers through the roles that touch your environment, each one a fresh onboarding, a fresh set of credentials, a fresh opportunity for error or abuse. Insider data theft at offshore processing centres is not hypothetical either: cases of staff selling customer banking and identity data have been documented since the mid-2000s, and stolen credentials remain one of the most traded commodities on criminal marketplaces.
There’s a structural wrinkle too: many “offshore teams” aren’t even employed by your MSP. They’re staff of a subcontracted BPO or staffing firm — meaning you are two contracts and one ocean away from the person who can reset your CEO’s password. Ask yourself honestly: could you name them? Could your MSP?
Risk 4: The help desk is now the front door — and attackers know it
Modern attackers have largely stopped “hacking in”. They ring up. Groups like Scattered Spider specialise in voice phishing (“vishing”): calling a service desk, impersonating a staff member or IT colleague — increasingly with AI-generated voices — and talking their way into a password or MFA reset. CrowdStrike reported that help-desk vishing featured in almost every Scattered Spider incident it observed in 2025. High-volume, scripted, trained-to-be-helpful desks are the ideal target, and an outsourced desk that has never met the caller, operating across language and timezone boundaries, is easier still.
Australia’s biggest 2025 breach followed exactly this script. On 30 June 2025, Qantas detected unusual activity on a third-party customer service platform used by its Manila call centre. Attackers had socially engineered their way in and stolen records of 5.7 million customers — names, emails, frequent flyer numbers, and for many, addresses, birthdates and phone numbers. Qantas obtained a NSW Supreme Court injunction against publication; the criminals, operating as Scattered Lapsus$ Hunters, dumped the data on the dark web in October 2025 anyway when their ransom deadline lapsed. A complaint has since been lodged with the OAIC, with class-action exposure and Privacy Act penalties of up to $50 million or 30% of turnover on the table. Two years earlier, MGM Resorts lost roughly US$100 million in impacts after attackers compromised it through a single social-engineering call to a help desk.
Now map that onto your own MSP. Their desk holds far more than your loyalty data — it holds administrative control of your business. If an attacker can convince one agent, anywhere in the world, to reset the wrong credential, your Australian firewalls never even come into play.
Anatomy of a help-desk vishing attack
1
Attacker calls, impersonating staff
often with AI voice cloning
→
2
Outsourced desk resets password + MFA
caller unknown, script followed
→
3
Privileged access granted to attacker
firewalls never engaged
→
4
Data stolen, ransom demanded
then leaked if unpaid
The pattern behind Qantas (2025) and MGM Resorts (2023): no malware required — just one persuaded agent.
Your security is only as strong as the identity checks of whoever answers your MSP’s phone.
Risk 5: Compliance, insurance and the recourse gap
Australian regulation is converging on one theme: you own your supply chain risk. APRA-regulated entities must manage material service providers under CPS 230 (in force since July 2025) and information-security third parties under CPS 234. Critical infrastructure operators carry supply-chain obligations under the SOCI Act. Aged care providers face lifted governance and information-management expectations under the new Aged Care Act that commenced in November 2025. Businesses with turnover above $3 million must now report ransomware payments within 72 hours. And the OAIC received more than 1,100 data breach notifications in 2024 — the highest annual total since the notification scheme began — with third-party and supplier breaches a recurring feature.
Cyber insurers have noticed. Proposal forms increasingly ask where your data is held, who has privileged access, and whether support is outsourced or offshored. Answer wrongly — even unknowingly, because your MSP never told you — and you risk a denied claim at the exact moment you need the policy most.
Finally, think about recourse. Your contract is with an Australian entity, but the failure happened inside a foreign subcontractor. Which court? Whose law? What assets could you ever recover against? In practice, cross-border enforcement for an Australian SMB rounds to zero. And remember the location question covers systems as well as people: where do the ticketing platform, RMM console, IT documentation (including your passwords and network diagrams) and backups actually live?
Onshore vs offshore support: the accountability gap
Law governing the people with your passwords
100% onshore MSP
✓ Australian criminal, employment and privacy law
Offshore / hybrid MSP
⚠ Foreign law; possibly multiple jurisdictions via subcontracting
Regulator reach (OAIC)
100% onshore MSP
✓ Direct, end to end
Offshore / hybrid MSP
⚠ Stops at the border; APP 8 liability stays with you
Staff vetting
100% onshore MSP
✓ AFP National Police Checks, verifiable
Offshore / hybrid MSP
⚠ Varies by country and BPO; effectively unverifiable by you
Who employs the technician
100% onshore MSP
✓ Your MSP, directly
Offshore / hybrid MSP
⚠ Often a third-party BPO you’ve never heard of
Post-incident investigation
100% onshore MSP
✓ AFP / ACSC engaged directly, evidence onshore
Offshore / hybrid MSP
⚠ Mutual legal assistance across borders; months to years
Contract enforcement
100% onshore MSP
✓ Australian courts, recoverable assets
Offshore / hybrid MSP
⚠ Cross-border claims rarely viable for SMBs
Insurance disclosure
100% onshore MSP
✓ Simple and accurate
Offshore / hybrid MSP
⚠ Complex; undisclosed offshoring can jeopardise claims
Five incidents, one lesson: the third party is the target
2021
Kaseya
Ransomware pushed through MSP software to up to 1,500 downstream businesses.
The third-party angle: Russia-linked REvil weaponised the MSP supply chain itself.
2022
Medibank
9.7 million Australians’ health records stolen and leaked.
The third-party angle: Entry via a third-party IT contractor’s stolen credentials; sanctioned attacker sheltered in Russia.
2023
Latitude Financial
14 million customer records, including 7.9 million driver licence numbers.
The third-party angle: Attacker used employee credentials obtained from a third-party vendor.
2024
MediSecure
E-prescription data of 12.9 million Australians; roughly 6.5TB exfiltrated.
The third-party angle: Traced back to a third-party vendor; the company later collapsed into administration.
2025
Qantas
5.7 million customer records stolen, then leaked in October 2025.
The third-party angle: Vishing attack on a platform used by its Manila-based call centre.
None of these organisations was breached through its own front door. Every one was reached through a supplier, a contractor or an outsourced desk. That is the modern playbook — and your MSP arrangement is exactly the kind of door it exploits.
10 questions to ask your MSP about offshore access
Put these to your current or prospective provider in writing, and keep the answers. Vague responses are answers too.
- Where, physically, is every person located who can access our systems — including after-hours, overflow and project teams?
- Are those people your employees, or a subcontractor’s? If subcontracted, name the entity and its jurisdiction.
- What background checks do they undergo, under which country’s system — and can you evidence them?
- In which countries are your ticketing, RMM, documentation and password-management platforms hosted — and where do backups of our data reside?
- Who answers our calls at 2am, and what identity verification do they perform before resetting a password or MFA token?
- How do you meet APP 8 obligations for any personal information our staff or clients pass through your systems?
- Will you disclose any offshoring in the contract, and notify us in writing before it changes?
- Does your ISO 27001 or equivalent certification actually cover the offshore site, or only the Australian head office?
- Which law governs our agreement, and how would we realistically enforce it if the failure occurs inside your offshore operation?
- If sanctions, conflict or law changes affect your offshore location, what is your plan for continuity of our service and custody of our data?
What a 100% onshore model actually changes
Keep the entire service inside Australia and every risk in this article collapses into a single, enforceable system. The person resetting your passwords holds an AFP-checkable record and answers to Australian criminal and employment law. Your data, documentation and backups sit under the Privacy Act end to end. The OAIC, the ACSC and Australian courts have full reach. Your contract is enforceable against a local entity with local assets. Your insurance disclosures are simple and true. And when you ask “who exactly has our admin credentials?”, your provider can answer with names, not org charts.
That’s the model Stanfield IT has run for 14 years: 100% Australian owned and operated, with every engineer, every ticket and every credential onshore across our Sydney, Melbourne, Brisbane and Perth teams — backed by a security-first practice spanning Essential Eight uplift, managed detection and response and incident response.
One honest caveat: onshore is a foundation, not a force field. An Australian address doesn’t patch your servers or stop phishing. You still need hardened controls, monitored detection and tested response. The difference is that with an onshore provider, when you verify those controls, the law, the people and the accountability are all within your reach — instead of an ocean away.
Know exactly where your data goes
Ask us the 10 questions above — we’ll answer every one in writing. Then let our Australian engineers show you where your current setup stands.
Frequently asked questions
Is it illegal for an Australian MSP to use offshore staff?
No. Offshoring is legal, and many providers do it. But under APP 8 of the Privacy Act, your business generally remains accountable for personal information disclosed to overseas recipients — so undisclosed offshoring transfers risk to you without your knowledge or consent.
What is data sovereignty in managed IT?
Data sovereignty means your data is subject to the laws of the country where it is stored or accessed. If your MSP’s staff, ticketing system, documentation or backups sit overseas, your data falls under foreign legal frameworks — including foreign government access laws — regardless of what your contract says.
Who is liable if my MSP’s offshore team causes a data breach?
In most cases, you are. Section 16C of the Privacy Act can deem an overseas recipient’s mishandling to be a breach by the Australian business that disclosed the information. Penalties for serious interferences reach the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover.
How do I find out whether my MSP offshores support?
Ask directly and in writing: where is every person with access to our systems located, who employs them, and where are your platforms and our backups hosted? Check whether their ISO 27001 certificate scope covers any offshore site, and review your contract for subcontracting and offshore disclosure clauses.
Why do attackers target offshore help desks specifically?
Help desks hold reset powers over passwords and MFA, handle high call volumes under time pressure, and rarely know callers personally — ideal conditions for voice phishing. The 2025 Qantas breach began at a platform used by its Manila call centre, and MGM Resorts was compromised through a single help-desk call in 2023.
Does using a 100% Australian MSP guarantee security?
No provider can guarantee security. What an onshore model guarantees is jurisdiction: verifiable AFP police checks, Privacy Act coverage end to end, and real legal recourse if something goes wrong. You still need strong controls such as the Essential Eight, monitoring and tested incident response on top.
Sources and further reading
- ASD Annual Cyber Threat Report 2024–25 — cyber.gov.au
- Defence Ministers media release on the 2024–25 Annual Cyber Threat Report — minister.defence.gov.au
- Computer Weekly: Qantas details impact of data breach on 5.7 million customers (July 2025)
- Help Net Security: Qantas data breach could affect 6 million customers (July 2025)
- ACS Information Age: Did the Qantas hackers use AI voice deepfakes? (July 2025)
- SecurityBrief Australia: Qantas data breach exposes 5.7 million in third-party cyberattack (July 2025)
- Privacy Act 1988 (Cth), APP 8 and s 16C — legislation.gov.au; OAIC guidance — oaic.gov.au