Information Commissioner to Investigate HWL Ebsworth Data Breach
The work of the law firm with a number of government agencies had consequences for Home Affairs and the AFP. The data was accessed on the dark web.
The Office of the Australian Information Commissioner (OIAC) has initiated an investigation into the 2023 HWL Ebsworth data breach. The firm fell victim to ALPHV ransomware in April of the previous year, and the stolen data was eventually leaked on the darknet during a three-week period in June.
Sixty-five government agencies, including Home Affairs and the Australian Federal Police (AFP), were affected. All were direct clients of HWLE’s legal and consulting services. A significant number of private sector clients also had their data compromised.
The investigation has been launched despite the Department of Home Affairs previously stating that the formal government response to the incident had concluded last September.
Investigation Will Center on Protection of Personal Information
The OAIC announced that a preliminary inquiry took place in June. The new, expanded investigation will focus on how HWL Ebsworth managed “the security and protection of the personal information it held” as well as its notification process for those affected by the breach.
“The Commissioner has a range of options available to her if following her investigation she is satisfied that an interference with the privacy of one or more individuals has occurred,” the OAIC said in a statement.
“This includes making a determination, which can include declarations that HWLE take specified steps to ensure that the relevant act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice. If the investigation finds serious or repeated interferences with [the] privacy of individuals, then the Commissioner has the power to seek civil penalties against HWLE from the Federal Court of Australia.”
The attack was carried out by cyber criminals known as ALPHV and linked to Russia. They were able to steal 2.7 million files containing sensitive information about clients and employees.
Related Stories
They then sent the law firm a message reading: “Hello, the largest legal partnership in Australia now have a big problem with your data leak. You have three days till Friday, after that we make your post public and if you still keep silence, we will prepare documents for publication.”
However, executives at HWL Ebsworth decided it was only spam and ignored it. When the hackers tried again two days later, the firm’s spam filters blocked the emails.
It was only when ALPHV posted about the hack on the dark web, and this was brought to its attention, that the law firm realised it was facing a serious threat.
A third attempt by the hackers to contact HWLE was successful.
“There is very little [time] left before the publication of your data in the public domain,” they wrote. “What have you decided? We will make a good discount, suitable for redemption. This is our offer.”
They reputedly asked for $5 million.
The communications were revealed when Ebsworth won a Supreme Court injunction to stop the hackers releasing any more information.
HWL Ebsworth customers include Australia’s four largest banks, major Australian and international insurers, share market-listed companies, and governments.
The stolen data included information relating to hundreds of corporate clients dating back at least five years: clients’ internal documents, lawyer and client communications, financial data, trade secrets and details of commercial strategies.
It also included personal and sensitive information about individuals, including health records, identity documents and information about their racial and ethnic origins, political opinions, political and religious affiliations, sexual orientation and criminal records.
