The Office of the Australian Information Commissioner (OIAC) has launched an investigation into the 2023 HWL Ebsworth data breach. The law firm was infected by ALPHV ransomware in April last year, and the data that was stolen was eventually published on the darknet over a three-week period in June.
Sixty-five government agencies were affected, including Home Affairs and the Australian Federal Police (AFP). All were direct clients of HWLE’s legal and consulting services. A large number of private sector clients also had their data stolen.
Investigation Will Focus on Protection of Personal Information
The OAIC announced a preliminary inquiry in June. The new, more extensive, investigation will focus on how HWL Ebsworth handled “the security and protection of the personal information it held” as well as how it later notified those impacted by the breach.“The Commissioner has a range of options available to her if following her investigation she is satisfied that an interference with the privacy of one or more individuals has occurred,” the OAIC said in a statement.
“This includes making a determination, which can include declarations that HWLE take specified steps to ensure that the relevant act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice. If the investigation finds serious or repeated interferences with [the] privacy of individuals, then the Commissioner has the power to seek civil penalties against HWLE from the Federal Court of Australia.”
The attack was carried out by cyber criminals called ALPHV and linked to Russia. They managed to steal 2.7 million files containing sensitive information about clients and employees.
They then sent the law firm a message reading: “Hello, the largest legal partnership in Australia now have a big problem with your data leak. You have three days till Friday, after that we make your post public and if you still keep silence, we will prepare documents for publication.”
However, executives at HWL Ebsworth decided it was only spam and ignored it. When the hackers tried again two days later, the firm’s spam filters blocked the emails.
It was only when ALPHV posted about the hack on the dark web, and this was brought to its attention, that the law firm realised it was facing a serious threat.
A third attempt by the hackers to contact HWLE was successful.
“There is very little [time] left before the publication of your data in the public domain,” they wrote. “What have you decided? We will make a good discount, suitable for redemption. This is our offer.”
They reputedly asked for $5 million.
The communications were revealed when Ebsworth won a Supreme Court injunction to stop the hackers releasing any more information.
HWL Ebsworth customers include Australia’s four largest banks, major Australian and international insurers, share market-listed companies, and governments.
The stolen data included information relating to hundreds of corporate clients dating back at least five years: clients’ internal documents, lawyer and client communications, financial data, trade secrets and details of commercial strategies.
It also included personal and sensitive information about individuals, including health records, identity documents and information about their racial and ethnic origins, political opinions, political and religious affiliations, sexual orientation and criminal records.