A hack of Parliament House's computer system involved data related to two Senators, Senate President Scott Ryan has revealed.
He did not provide information about whether MPs had also been hit, but said the hack involved "a small amount of non-sensitive data - parliamentary services corporate data and data related to a small number of parliamentarians".
"While I can't precisely guarantee that no other data was removed, extensive investigation has provided no evidence of this," he told Senate estimates hearings on Thursday night.
He also revealed that hackers had accessed the system when "a small number of users visited an external website that had been compromised".
"This caused malware to be injected into the parliamentary computing network," Senator Ryan said. "I reveal this information as a salient warning to all users of the parliamentary network that they must be cautious and vigilant when clicking on any documents, attachments or links that are outside of our environment."
Because "sensitivities" were involved, he would not release more information publicly.
Prime Minister Scott Morrison has already attributed the February hack to a sophisticated state actor, and China has been implicated in the media.
But Senator Ryan has not said even whether a foreign government was believed responsible, let alone which one if so.
The hackers were inside the parliamentary computer system for some time. The department had became aware of the attack on January 31, and the attacker had been removed on February 8, he said. Two senators had been contacted at the time. He did not say whether they were government senators or ministers
This is a salient warning to all users of the parliamentary network that they must be vigilant when clicking on documents or linksScott Ryan
He was responding to a series of questions on notice from crossbench Senator Rex Patrick, who also asked him what access investigators had been given to the parliamentary computer network
The Department of Parliamentary Services and the Australian Signals Directorate had worked together on the investigation and repairing the system, Senator Ryan said.
All access from the signals directorate had been approved by the department, and had been limited to investigating technical systems and logs, scanning network traffic, and identifying malware and vulnerabilities.
"Neither ASD or DPS accessed data or information stores held by parliamentarians without their consent," he said. "These technical investigations do not access the contents of parliamentarians' documents, emails or communications and are limited to information required to diagnose or remediate cyber incidents."
Senator Ryan said there was no evidence of insider involvement or assistance.
Senator Ryan has refused to release the report of the hack this year, saying he could not give detail in public.
The hack coincided with an attack on the computer systems of the Liberal, National and Labor parties.
In contrast to the meagre information about the Parliament House computer hack, the Australian National University recently released significant detail of a sophisticated attack on its computer systems in November last year that has been attributed to China.
While no-one clicked on an email link in the ANU case, previewing an attachment was enough for hackers to get a password.
Once inside the ANU system, they used an old server to build operations from the inside, eventually gaining access to the university's HR database.