HWL Ebsworth obtain a continuing indefinite injunction regarding data breach and say it has spent 5,000 hours and cost $250,000 fighting the hackers

June 15, 2023 |

Major data breaches result in major outlays in rectifying and remedial action, not to mention reputational damage. And the time in bringing some sort of resolution is extraordinary. As the Australian Financial Review reports in HWL Ebsworth says it has spent 5000 hours fighting hack that the firm had spent 5,000 hours and it had cost $250,000 fighting Black Cat that had breached the firms cyber defences and exfiltrated 4 tera bytes of data without its knowledge. In fact when the firm was first contacted by Black Cat on 28 April 2023 the overture was dismissed as spam.  The clearly inadequate and poor cyber security practices morphed into farce with this turn of events.

According to the report, which is based on affidavit material filed with the New South Wales Supreme Court:

  • the data related to hundreds of clients
  • covers a period of at least 5 years.
  • the personal information includes:
    • health records
    • financial details
    • sensitive information as defined in the Privacy Act
  • McGrathNicol had been paid $250,000 for their services so far with the prospect of more payments forthcoming
  • law firms and businesses have been trawling through Black Cat’s data dump.

The order has not been made public.  The ineffectiveness of an order restraining  Black Cat from releasing the rest of the stolen data is obvious.  It is a criminal group located outside of Australia, most likely in Russia.  The orders against those who might use the data already released may be of more force if those individuals are in Australia.  For those acting with nefarious intent, again a contempt of court prosecution figures low amongst their concerns.  The terms of the orders against “any further broader access to or dissemination” of the data have bite as they apply to media who could report on what data was released and from where that data was collected.   And to a large extent that is the point of the injunction.  It restrains publication of the nature of the data that has been stolen and released.  Such reporting would damage HWL Ebsworth significantly but also its clients who provided that information.

How such a broad range of data from hundreds of clients could have been so effectively stolen without any alarm being sounded will no doubt be a question the regulators will look at.  Why it was necessary to store five year old data in amongst ongoing matters is another question.

What is clear is that with 2/3rds of the stolen data still to be released this tale of woe for HWL Ebsworth will continue.  It refuses to pay the demanded ransom and Black Cat have the means, motive and opportunity to express its displeasure in the most excruciating way possible for the firm.

The article provides:

Law firm HWL Ebsworth said it had already spent 5000 hours and $250,000 fighting Russia-linked hackers, as a judge extended an injunction aimed at stopping further exposure of sensitive staff and client data.

Justice David Hammerschlag, the chief judge in equity at the NSW Supreme Court, said the interim orders he made on Monday pending a hearing on Wednesday would now apply indefinitely.

The injunction not only restrains ALPHV, or Black Cat, from releasing the rest of the stolen information, but covers “any further broader access to or dissemination”, including by the media.

The firm admitted in affidavits for the injunction that the stolen data related to hundreds of clients and spanned at least five years.

It said those affected included the four big banks, numerous other ASX-listed companies and federal and state governments. The client data included material subject to legal privilege and confidentiality orders by courts, trade secrets and commercial strategy information.

The personal information included health records, financial details and information about “political and religious affiliations, sexual orientation and criminal records”.

Chief strategy officer Russell Mailler said in his affidavit that the firm had refused to pay a ransom, said to be $5 million, to the ALPHV group – also known as Black Cat.

Mr Mailler said that when the hackers first contacted HWLE via email on April 28, “it was reviewed and dismissed as spam due to its nature”.

He said ALPHV had been in regular contact with the firm over the next six weeks and that a “final warning” was delivered on June 3.

“HWLE continued not to respond to, or otherwise engage in any way with ALPHV, and was not prepared to entertain paying the ransom or enter into any negotiations with respect to that ransom demand.”

About a third of the claimed haul of 4 terabytes of data was released to the dark web on June 9, and law firms and businesses have since been trawling through the data dump to see if they are included.

HWLE partner Andrew Miers said in his affidavit that the firm had engaged forensic investigators McGrathNicol to review the breach and had already paid them $250,000.

He added that partners and staff had spent at least 5000 hours on the task and noted the figure – like the bill for McGrathNicol – would “continue to increase”.

At Wednesday’s hearing, Justice Hammerschlag refused an application by lawyer Larina Alick for Nine, owners of this masthead, to make submissions opposing the terms of the injunction.

However, the judge amended his interim order to allow third parties affected by the injunction to apply to the court to vary its orders.

HWLE is Australia’s largest legal partnership, with 278 partners and 1400 staff, and is headed by managing partner Juan Martinez.

Leave a Reply