Hacker holding laptop while gesturing against Australia flag showing data breach at law firm

Data Breach at Australian Law Firm That Caters to Government Agencies, Finance Institutions Could Be the Worst in National History

Australia has been experiencing unusually serious problems with data breaches that involve mass amounts of sensitive information for nearly a year now. It had seemed that the string of attacks and mishaps had begun to ebb, but the latest may well be the worst of the bunch. HWL Ebsworth, one of the country’s most prominent law firms, appears to have had a huge amount of client information stolen by ALPHV/BlackCat.

The firm almost exclusively caters to government agencies, banks and large enterprise-scale businesses. Many of those are among the reported victims, and HWL Ebsworth has secured an injunction to restrict the media from reporting on specific details after some of the stolen information was leaked on the dark web.

Law firm hack may have exposed military information, bank and health records

While the Australian media is restricted from providing specific details about what has appeared on the dark web in connection with the data breach, there is already a lengthy list of compromised law firm clients that provides ample reason for concern.

A data breach notification from the law firm verifies that it became aware of a dark web post boasting of stolen information on April 28, and that some of its confidential client information was leaked by ALPHV/BlackCat on June 9.

The law firm says that the hackers accessed a “confined part” of its network and not its “core document management system.” Whatever portion the attackers broke into appeared to provide quite a bounty of sensitive client data, however. Among the victims of the data breach is The Office of the Australian Information Commissioner, the country’s lead regulator. Also breached were the “big four” (longest-operating) banks:  National Australia Bank, Westpac, the Commonwealth Bank, and ANZ. Sensitive military material may have also been accessed in a breach of the Department of Defence, though the government has been tight-lipped about this particular development thus far.

Those are likely the most serious aspects of the law firm’s data breach, but the list goes far beyond those entities. Also known to be impacted are the Australian Federal Police, the Department of Human Services, the Taxation Office, the National Disability Insurance Agency, and the state government of Tasmania. HWL Ebsworth has also disclosed a serious breach of its own internal company data including credit card numbers, loan information, employee CVs and access credentials. A total of about four terabytes of data was stolen from servers located in Melbourne.

However, it remains unclear exactly how much damage was done in each of these cases. National Australia Bank has come forward to say that only a “small amount” of its clients are impacted by the data breach. ANZ said only that employees and customers “may” be impacted and that it is investigating.

ALPHV/BlackCat reportedly asked for a ransom of AUD 5 million which HWL Ebsworth has thus far refused to pay, resulting in a partial data leak by the attackers.

Chain of data breaches continues to haunt Australia

It is still unclear if it was part of some sort of targeted pattern or just a coincidence, but Australia began suffering a string of major data breaches that began in 2022 and was headlined by incidents at Medibank and Optus that each involved millions of sensitive customer records. It had appeared that things had settled down for a bit prior to the March 2023 attacks on IPH Ltd and Latitude Group Holdings that led to the compromise of hundreds of thousands of customer records (collectively). Australian organizations were also not spared from consequences of the MOVEit hack, which has hit PwC Australia and Medibank (for the second time) among others.

Medibank is not the only recently compromised organization to get swept up in the law firm data breach; the Tasmanian government had its own serious breach in April involving at least 150,000 people that included student records, bank statements and invoices.

The law firm’s injunction has also prompted a fierce debate about free speech in the country, even as Australians tire of repeatedly changing their identification and financial account numbers due to mass data breaches. While anyone with some modest technical knowledge can visit ALPHV/BlackCat’s dark web site to keep abreast of what has been leaked, many rely on the mainstream media to keep informed about these incidents (and potential dangers to their personal identity or accounts).

Amidst all of this, the country has appointed a new head of cybersecurity as part of an ongoing campaign to shore up defenses and restore public faith in information integrity. Air Marshal Darren Goldie, 30-year veteran of the Royal Australian Air Force (RAAF), is the new chief tasked with improving cyber defenses and government response, and will take his chair on July 3.