Peter A Clarke

In late April Russian hackers successfully launched a ransomware attack against HWL Ebsworth, a national Australian law firm. On 30 April it made demand for a ransom. The ALPHV/Blackcat ransomware group posted on its website that 4 tera bytes of data had been hacked. The contents included employee CVs, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map. As has become usual the firm responded to enquiries by stating that it had contacted the Australian Cyber Security Centre and will work with them. Further details were scarce. Nothing unusual in that. It has become a standard deflector shield against further enquiry.

That was in early May. But ransomware hackers don’t really care about what their victims say. Particularly hackers as effective as BlackCat. On 11 May the Australian Financial Review reported that the Ebsworth data was posted on BlackCat’s site on the dark web. The AFR also reported that clients, including the Commonwealth Bank, La Trobe Financial and ING Bank, had removed their files from the firm. Given the likely entry point for the hackers was via an email received on a staff member’s personal device this is a massive loss of billings and reputation for what was likely a preventable data breach. Human error is the cause of a vast majority of data breaches. And that human error is often caused by poor training and supervision. The fact that the firm only became aware of the hack when the hackers advised of the theft of data points to poor internal security. That 4 terabytes of data could be exfiltrated from various data banks of the firm points to no or inadequate programs to monitor and respond to unusual movements of data. Given that HWL Ebsworth is the largest firm by partner size that is quite extraordinary.

On 9 June the ABC reported that BlackCat had published published 1.45 terabytes of data on the dark web with a statement “ENJOY”. That happened after the demand for ransom payment within 10 days expired without any payment being forthcoming. As the ABC article makes clear the impact of the data breach goes beyond impact of personal information of staff and financial records.  It goes to personal information and other sensitive material belonging to clients such as government agencies and commercial institutions.  That leads to them having to take proactive measures to determine the extent of the loss of their data and what steps they need to take to advise their clients or other persons.  Law firms such as HWL Ebsworth hold masses of sensitive and personal information belonging to clients. The Tasmanian Government has reported suffering a possible data breach linked to the attack on HWL Ebsworth.

Given the nature of the data breach HWL Ebsworth’s focus is on dealing with clients whose clients or employees may have been affected rather than a broad notice to a set group of people.  That has been the tenor of its response to enquiries.  While that is understandable HWL Ebsworth has maintained a very restrained response.  As overseas experience and the Optus and Medibank data breaches attest that is not generally a good strategy.  Clearly given constraints on confidentiality apply however a broader explanation is often better than bromides, which is the nub of the response to date.  Given BlackCat has not finished with HWL Ebsworth it is premature to determine the efficacy of the approach taken to date. What can be said so far is that the reputational damage to HWL Ebsworth has been immense.  Given the reported nervousness of clients there is likely to be an impact on the billings as well. 

Today the Australian Financial Review reports in Law firm takes hackers who stole its data to court that on the Kings Birthday Holiday the firm sought and obtained interim injunctive relief against anyone dealing with the client and employee data. Interestingly the orders are framed to stop further access to or dissemination of information to others including the media. That may be the most effective part of the orders.  The firm acknowledges that the practical effect of the orders are limited. In terms of constraining BlackCat the orders are inutile.  Hackers rarely change their ways when they discover they are the subject to an injunction. They are criminals located outside of Australia’s jurisdiction and located in a country which will not enforce a court order of this nature. The final hearing of the injunctive relief will heard today.  Injunctions are common enough to restrain money from being moved within in or out of Australia or to prevent people, identified and likely living in Australia, from using information. The nature of this injunction goes well beyond that. 

I find it ironic that HWL Ebsworth has suffered a data breach given it has acted for the Australian Information Commissioner. It acted for the Commissioner, the First Respondent, in the Full Court of the Federal Court matter of AIT18 v Australian Information Commissioner [2018] FCAFC 192, a case where I was junior counsel for the Applicant. In those circumstances one would expect it to be alive to the obligations under the Privacy Act, particularly regarding data security. Then again, I was not overwhelmed with the quality of its work in the case.

The ABC article provides:

Russian-linked cybercriminals claim to have published troves of sensitive data after a large law firm used by the Australian government vowed not to bend to their ransom demands.

Late last night the AlphV ransomware gang, also known as BlackCat, said it had published 1.45 terabytes of data on the dark web that it allegedly stole from HWL Ebsworth in late April, with the message: “ENJOY!!!”

It is unclear what data was published but AlphV has previously claimed to be in possession of internal company data including financial and insurance data, credit card information, agreements and reports.

If the group’s claims are accurate, it means hackers are still holding onto 2.55 terabytes of unpublished data.

AlphV’s claim was first picked up by threat analyst @CyberKnow20 on Twitter.

A spokesman for HWL Ebsworth said the firm was investigating the claim.

“We have learnt that the cyber criminals who accessed our systems have now claimed to have published around one-third of the total data they say has been exfiltrated from our firm,” he said.

“We are investigating this claim and are seeking to identify what data may have been published.

“HWL Ebsworth will not submit to the ransom demand.

“We take our ethical and moral duties to the community very seriously, and we consider we have a fundamental civic duty to not, in any way, encourage or be seen to condone the criminal activity of extorting money by taking and threatening the publishing of other people’s data.”

Home Affairs investigating as governments potentially affected

The hack of HWL Ebsworth represents a significant headache for the firm and its clients, which have previously included ANZ, the South Australian, Queensland and ACT governments, the Environment and Human Services Department and the Australian Taxation Office (ATO).

The ABC is not suggesting that these clients have been directly affected by the hack.

However the federal government has confirmed it was a client of the law firm and may have been caught up in the breach.

The Home Affairs department revealed on Friday it set up three “working groups” to respond to the hack.

A spokeswoman said a specialist legal team has already had 10 meetings to discuss the incident and its “potential impact on the government as a user of HWL Ebsworth’s legal services”.

“A Sensitive Information Working Group may be convened to discuss the management of any information exposed in the breach which may be related to vulnerable people, national security and law enforcement matters,” she said.

The spokeswoman also said that another team, dedicated to identity security, may be started to manage any issues around identifiable information and credentials of those affected.

The Tasmanian government also confirmed it might be affected by the breach, just months after a separate hack compromised names, addresses and bank statements of Tasmanians.

In a statement, Tasmania’s Minister for Science and Technology Madeleine Ogilvie said investigations were underway to ascertain if any information had been compromised in the “illegal release of data held by national law firm HWL Ebsworth onto the dark web”.

“This is concerning and we are working closely with the Australian government to establish if any Tasmanian information has been impacted,” she said.

“While this may take some time considering the volume of data involved — we are taking swift action and will keep the Tasmanian community informed with further developments.”

Ms Ogilvie said the “federal government contacted the state government this morning about the release of data” from the hack.

She told a budget estimates hearing on Thursday that the departments of Justice, State Growth, and Police, Fire and Emergency Management had dealings with the law firm.

In April, the Tasmanian government confirmed names, addresses and bank statements of Tasmanian parents and students had been released online in a data breach involving at least 16,000 documents.

The documents were released by hackers as part of a cyber attack on a third-party transfer software used by the Tasmanian Department of Education, Children and Young People.  

Hack comes amid rise in ransomware attacks

The hackers reportedly issued the threat to publish the data earlier this week, according to the Australian Financial Review.

HWL Ebsworth said it was communicating with its clients.

“We continue to work with the Australian Cyber Security Centre, the Office of the Australian Information Commissioner and all relevant government authorities and law enforcement,” a spokesman said.

“The privacy and security of our client and employee data remains of the utmost importance.”

The incident has prompted agencies like the ATO to warn taxpayers to be alert to scams which refer to HWL Ebsworth.

There has been a dramatic increase in the number of ransomware attacks on Australian businesses.

The Australian Cyber Security Centre has found that there was about a 75 per cent increase in incidents since 2019-20.

The AFR Article provides:

HWL Ebsworth has taken out a court injunction to stop anyone dealing with client and employee data that was dumped on the web last week by Russia-linked hackers after a six-week stand-off with the law firm.

HWLE managing partner Juan Martinez told clients on Tuesday that the interim injunction against criminal gang ALPHV releasing more data would also cover “any further broader access to or dissemination”, including by the media.

Justice David Hammerschlag, the chief judge in equity at the NSW Supreme Court, granted the ex-parte interim injunction “against persons unknown” on Monday night and will preside over a hearing at 10am on Wednesday.

It is not anticipated that the injunction will be opposed.

ALPHV, also known as Black Cat, last week released more than a third of the 4 terabytes of data it stole from HWLE’s servers in late April.

The material includes company files, financial reports, accounting data and loans data from a client list that includes most of the ASX100 and numerous government departments.

The data dump came after a “final warning” 10 days ago to pay a ransom amount rumoured to be $5 million.

Mr Martinez conceded the move would have little impact on ALPHV.

‘Practical limits’

“We appreciate that there will be practical limits to enforcing this against the threat actors themselves,” he said in the client note.

“However, we have taken this step with a view to preventing, as far as possible, any further broader access to or dissemination of the data. This includes seeking to prevent the media from accessing or publishing any of the data, or indeed any party.”

He said he believed it was the first time in Australia “that an injunction has been granted against cyber hackers in circumstances such as these”.

HWLE employs 1300 people and is the nation’s largest legal partnership, with 280 partners. The hackers gained access via the personal computer of a staff member and sent their first ransom demand on April 30.

Drip-feeding data

Since the information was released, law firms have been trawling the data to see if their clients are involved. There could be further dumps as ALPHV has promised to drip-feed data to the dark web if the firm continues to refuse to negotiate.

Mr Marinez said HWLE was acting “in the interests of our clients, our employees and our firm” and that any breaches of the order “will be in contempt of court”.

He said this included “engaging in any further transmission, publication, disclosure, use or viewing of the impacted data, or otherwise helping or permitting ALPHV to breach the terms of the order”.

HWLE wrote to media organisations on Wednesday afternoon advising them of the order and warning that “further transmission or publication of the data could have unintended consequences”.

Justice Hammerschlag’s order covers “any person or entity which (i) carried out, participated in or assisted in the exfiltration of the plaintiffs’ documents; or (ii) communicated any extortion demands to the plaintiffs”.

It adds that “any other person who knows of this order and does anything which helps or permits you to breach the terms of this order may be similarly punished”.

The order says it was based on information provided by HWLE’s chief strategy officer, Russell Mailler.

ALPHV, which is believed to be made up of former members of cybercriminal groups DarkSide and BlackMatter, has employed a strategy of “big game hunting” since it emerged in 2021.

Recently, it claimed to have stolen 2 terabytes of data via a legal technology platform used by US agencies, including the FBI and the Department of Defence.