The HWL Ebsworth data breach; the ripple effect. Its government clients set up working groups to sort through the rubble and work out what happens next

June 16, 2023 |


With large organisations/firms/government data that are comrpromised often belong to third parties such as clients or other organisations. With law firms that involves information provided necessary to permit advice work or litigation. And so it is with the HWL Ebsworth data breach. Which has led to the inevitable round two of the data breach, the clients of the firm doing damage assessments of what has happened to their data. The Australian reports in Fears government data has been stolen by cyber criminals grow as law firm’s clients are revealed that government departments have set up committees to determine the extent of the damage. And not before time.  Black Cat has not released 2/3rds of the data it exfiltrated. That is likely to happen at the most inopportune time given HWL Ebsworth has stated it will not pay a ransom. 

The Australian article provides:

The Albanese government has established a crisis group to examine what commonwealth data has been stolen by Russian-linked hackers who infiltrated the systems of HWL Ebsworth, the giant law firm that has tens of millions of dollars of contracts across at least 40 government departments and agencies.

Sensitive agencies including Home Affairs, the Australian Federal Police, Australian Taxation Office, Department of Defence, Department of Foreign Affairs and Commonwealth Director of Public Prosecutions are among those feared to have been impacted by the hack.

Forensic cyber experts and national security agencies are now working to determine what commonwealth information is among the four terabytes of data stolen by Russia-linked ransomware gang BlackCat, also known as AlphV or AlphaSpider.

The Attorney-General’s Department has established a working group to examine the impact of the data leaks. There are deep concerns within government that data including information on vulnerable people may have been compromised, along with legal advice that could prove deeply embarrassing to the government, its predecessor and its agencies.

While the hackers did not infiltrate government computers, it is understood they did access information provided by government agencies to HWL Ebsworth, and likely also obtained data and advice provided by the firm to its government clients.

The giant law firm specialises in government work, spruiks on its website that it is the only firm appointed to all Australian government legal service panels, and advertises 25 partners who specialise in government work.

A search of the AusTender website shows there are more than 1600 individual current or recently expired contracts or panel agreements between government departments and the law firm, worth tens of millions of dollars.

The Australian has been told there are daily meetings occurring across government as agencies race to determine what data has been accessed, and how damaging any potential release of the data would be.

The hackers published 1.2 terabytes of the data earlier this month, but their site, on the dark web, is currently offline. The hack is believed to have occurred in April, and was reported to the government on May 1.

Most departments contacted by The Australian on Thursday referred inquiries to HWL Ebsworth, but the firm would not comment on its clients. “The privacy and security of our client and employee data remains of the utmost importance,’’ it said in a statement. “We acknowledge and understand the impact this may have, and we continue to communicate closely with our clients.

“We continue to work with the Australian Cyber Security Centre, the Office of the Australian Information Commissioner and all relevant government authorities and law enforcement. We will continue to provide updates as we progress our response.’’

Agencies and departments including Prime Minister and Cabinet, Treasury, Finance, Education, Agriculture, Fisheries and Forestry, Industry, Science and Resources, Employment, and the Department of Foreign Affairs and Trade are all either current or recent clients of the firm, or have panel agreements with it.

The Fair Work Ombudsman, Parliamentary Budget Office, Aged Care Quality and Safety Commission, ASIC and Services Australia are also clients.

The Office of the Australian Information Commissioner – the nation’s privacy watchdog – confirmed on Wednesday it had lost data to the hackers. But The Australian has been told the OAIC breach was “the tip of the iceberg’’ and the likely loss of data extended across the government.

Cyber Security Minister Clare O’Neil’s office confirmed it was investigating the potential impact on government data

A spokesman refused to say how many agencies were clients of the law firm and had been impacted by the hack, referring all questions to HWL Ebsworth.

“The government continues to actively engage HWL Ebsworth as it investigates the extent of the breach, including impacts on commonwealth information,” the spokesman said.

“HWL Ebsworth first reported a cyber incident involving ransomware and claims of data exfiltration and publication to the dark web on 1 May 2023.

“The government is working with HWL Ebsworth to understand and manage potential consequences of the publication of the data. As this matter is the subject of an ongoing joint investigation between the AFP and Victoria Police, it would not be appropriate to comment further.”

Ms O’Neil would not comment on what Home Affairs data may have been compromised.

The AFP, which has multiple contracts with the firm, also declined to comment on what data the hackers may have accessed.

The Australian Electoral Commission said: “Attorney-General’s Department has established a working group to assess the exposure of commonwealth data as a result of the HWL Ebsworth data incident. Questions about that data incident are best directed to the Attorney-General’s Department.’’

Attorney-General Mark Dreyfus’s office referred questions to the department, which said: “It would not be appropriate for the Attorney-General’s Department to disclose details about its engagement of legal services providers. A co-ordinated whole-of-government approach is currently under way to support agencies’ response to the HWL Ebsworth cyber incident.’’

The ATO said it “could not comment publicly on the specifics of our cyber security posture’’ but was aware of the incident. It urged taxpayers to be alert to contact the ATO if they found access to online systems had been affected.

The NDIS Quality and Safeguards Commission confirmed it “had been made aware of the data breach by HWL Ebsworth Lawyers affecting commission information”.


“We will continue to engage with the firm who is working with the Office of the Australian Information Commissioner and other relevant government agencies,’’ the commission said.

A spokeswoman for Defence Minister Richard Marles would not comment on what Defence data may have been impacted, saying: “Specific inquiries relating to this incident should be directed to HWL Ebsworth.’’

Foreign Minister Penny Wong’s office referred questions to DFAT, which did not respond.

While the government was first made aware of the breach on May 1, it does not appear anyone has been notified of a breach, under the requirements of the Notifiable Data Breaches scheme, which was introduced in 2018 and requires organisations to notify people at risk of “serious harm’’ within 30 days.

Opposition cyber security spokesman James Paterson said: “The government must come clean about to what extent other departments and agencies have been affected … given the firm is such a significant provider of services to the government.

“They must also be upfront about whether citizens’ privacy has been impacted. Australians have the right to know if other government data has been lost.’’


Itnews in Law firm HWL Ebsworth in a world of pain after Alphv attack has a very interesting take on the reportage to date and some of the issues I have been raising. It is worth a read. It provides:

It is more than somewhat ironical that HWL Ebsworth, the Australian law firm that is reeling after a ransomware attack that led to massive data theft, has a slogan on its website saying, “We’re not your typical law firm”.


The company also says “The traditional law firm model is tired. This is its wake up call”. Observers would heartily agree with both slogans, given that the typical law firm is definitely not struggling to cope with the after-effects of such a huge theft of data.

On Monday, HWLE sought, and obtained, an injunction from the Supreme Court of NSW, preventing both the attackers and the media from publishing details about the intrusion. It informed many media organisations about this on Tuesday; as iTWire was not included, I wrote and requested a copy of said email. There was silence from the law firm.

But in seeking that very injunction, HWLE had to provide a lot of detail in affidavits to said court, and the Australian Financial Review has milked this trove of information to tell world+dog a lot more about the company that would have otherwise been put out there had it not tried to use legal means to curb the flow of information.

The AFR’s Sam Buckingham-Jones and Michael Pelly, in two articles on 14 and 15 June, have provided ample detail to satisfy even the most ardent voyeur.

For those who haven’t heard of this attack, HWLE was hit by the Alphv ransomware gang sometime in April. The attackers then tried to negotiate a ransom of US$4.6 million (A$6.8 million) or US$4 million in the Monero digital currency.

Buckingham-Jones and Pelly have the gory details of the negotiations here, and it is well worth a read. One additional detail: the entry point for Alphv was a personal computer belonging to a staff member.

As to the information that was available for pilfering, there was government information, confidential information about corporate clients, and personal data from hundreds of clients going back five years, according to the affidavits.

Given that the injunction was obtained from an Australian court, iTWire asked another law firm, Corrs Chambers Westgarth, about how useful it would be in stopping someone in a foreign location from doing what he/she liked with the data.

Michael do Rozario, partner and cyber security expert at this company, replied: “All Australian Supreme Courts have ample jurisdiction to issue injunctions to foreign defendants when the claim is founded on a cause of action arising in Australia.

“The NSW Supreme Court has jurisdiction on matters that can be connected to NSW. It does not matter whether the defendant is physically in the state or the country.

“In relation to a case like this, the NSW Supreme Court clearly has jurisdiction to issue the injunctions that were obtained by HWLE and there is no relevant geographical limit.

“The extension of the orders to viewing or publication of the stolen data by third parties is a sensible move, attempting to limit the publication of the stolen data in the media and on the Internet.

“It will dissuade most law-abiding media companies, websites and news services from publishing the stolen data (or links to it) and commercial data hosting sites will have regard to the orders, and take down the stolen data on request, if a person attempts to use commercial hosting/cloud to publish the stolen data.

“That is not to say that criminals will necessarily be dissuaded from publishing the data on the dark web, but by obtaining these orders HWLE has taken a sensible step to limit the access to the stolen data.”

As iTWire has already reported, a seasoned ransomware researcher, Brett Callow of the New Zealand-based security firm Emsisoft, is of the opinion that such an injunction is unlikely to trouble the attackers in any way.

He pointed to other cases which had tried similar tactics to try and minimise exposure, noting that not a lot had been achieved.

iTWire understands that enforcing an Australian injunction in a foreign location will require a great deal of effort, both in terms of time and money, and success depends entirely on the extent to which the government in that jurisdiction co-operates with an Australian legal entity.

The flood of material about the HWLE attack is not restricted to the AFR’s efforts. News Corp staffer Ellen Whinnett wrote on Friday that HWLE has among its clients “at least 40 government departments and agencies”.

Among these, Whinnett added, were Home Affairs, the Australian Federal Police, the Australian Taxation Office, the Department of Defence, the Department of Foreign Affairs, and the Commonwealth director of Public Prosecutions.

Callow was asked for a general comment on situations of this sort, and he responded: “Generally speaking, many ransomware attacks succeed because of basic security shortcomings such as not having implemented MFA (multi-factor authentication).

“The incidents can expose the victim company’s information, the victim’s business partners’ information, the victim’s clients’ information, and, in some cases, the information of the customers of those client companies.

“This not only provides the hackers with multiple options for extortion, it also provides them with lots of material that can used for phishing. A key element in combatting ransomware is swinging the risk-reward ratio more towards risk, and companies getting their security 101s right would help achieve that.”

iTWire contacted HWLE on Thursday as well, inquiring about the injunction order, its enforceability abroad, what the company would do if a foreign website published full details of the material being progressively released by the Alphv gang, and also whether the injunction was just a bid to help protect against the legal fallout from the breach.

There has been no reply, but the AFR, once again, provides some light on why this policy of silence prevails at HWLE. In its Rear Window section, Mark Di Stefano says, in an article headlined “HWL Ebsworth gags the media”: “In the middle of a corporate meltdown, a button that gags the media must sure be tempting. Why are we not surprised that the owner of the glassiest jaw in Australian law, Juan Martinez, has been fumbling around for the muzzle?”

This article, again, is well worth a read. In closing, this may be a subjective impression, but somehow that injunction does not seem to be doing what it was intended to achieve




Leave a Reply

Verified by MonsterInsights