Peter A Clarke

Law firms are a prime target for data breaches. They hold significant personal information and sensitive information of corporations and government agencies. The UK Information Commissioner’s Office has imposed a very hefty fine of 60,000 pounds on the Merseyside-based DPP Law Ltd following a cyber attack in June 2022 which resulted in the loss of 32GB of data. The firm only became aware of this loss when it was contacted by the National Crime Agency which advised it that the data had been posted on the dark web. DPP Ltd had poor cyber security with a brute force attack being sufficient to gain access to an administrator’s account and then having the ability to move laterally across its network.  That bespeaks a very rudimentary system.  Then after being notified of the breach it regarded the loss of personal information as not constituing a personal data breach.  It waited 43 days before notifying the ICO.  It is a case study of what not to do.  Which in fact the ICO has done in publicising the litany of errors committed.

The ICO media release provides:

Cyber attack details

In June 2022, DPP suffered a cyber attack which affected access to the firm’s IT systems for over a week. A third-party consulting firm established that a brute force attempt gained access to an administrator account that was used to access a legacy case management system. This enabled cyber attackers to move laterally across DPP’s network and take over 32GB of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to us until 43 days after they became aware of it.

You can read the full details of the incident in our monetary penalty notice.

Legal requirements and our guidance

The law requires organisations to take continual and proactive steps to protect themselves against cyber attack. This includes ensuring all IT systems have MFA or equivalent protection, regularly scanning for vulnerabilities and installing the latest security patches without delay.

We have detailed guidance to help organisations understand their security obligations, including the duty for all organisations to report personal data breaches.

Last year we published a cyber report, Learning from the mistakes of others, providing insights for people responsible for compliance with data protection legislation and cyber security at their organisation.

Australian firms have been hit with significant and damaging data breaches recently. The HWL Ebsworth data breach via a cyber attack in April 2023. resulted in approximately 2.2 million documents being affected. The Information Commissioner opened an investigation in February 2024, 14 months ago. There has been no public resolution of that investigation. It is the subject of a class action, with the National Justice Project is now representing 12 National Disability Insurance Scheme (NDIS) participants in a class action against HWL Ebsworth. In March cyberdaily reports in Brydens Lawyers suffers alleged 600GB data breach following ransomware attack that the firm had suffered a significant data breach in February 2025. Also in February 2025 Slater and Gordon suffered a humiliating data breach by an insider via an email  disseminating private personal information about staff, including their salaries. This is reported by the Australian in ‘Jaw-dropping’: Slater + Gordon in an email scandal for the ages and by the Australian Financial Review in Slater and Gordon mass email scandal is lawyer against lawyer. Each firm has adopted the Australian norm of being excessively secretive and hoping the problem disappears in the next media cycle.  Compared to more mature markets, like the USA and the UK, that is quite risky and bespeaks a poor understanding of how data breaches evolve in both a media and legal environment. The problems many entities face is that the data breach is just the start of the problems. Regulators commonly find the cyber defences are lacking, document handling is poor, there is no plan for dealing with data breaches and there is poor training. It also finds a poor corporate culture.  For example the problems at Slater and Gordon pre date the current Chief Executive.  It is hardly as secret thta management has been poor for some time.     

The amendments to the Privacy Act give the Commissioner greater powers to bring enforcement action in a more timely fashion while the introduction of a statutory tort of interference with privacy gives clients and employees of law firms affected by a data breach a cause of action for misuse of personal information, as well as existing rights in negligence and equity.        

The Australian article provides:

Most of Slater + Gordon’s more than 900 lawyers and office staff were already at work and behind their computers at 9.48 last Friday morning when a perfectly aimed missile dropped into their inboxes and exploded.

The email was innocuously headed “CPO Handover”, purportedly a note from outgoing interim chief people officer Mari Ruiz-Matthyssen to her successor at the firm, but containing brutal character assessments of many of Slater + Gordon’s most senior lawyers and staff.

And there, in an attached spreadsheet, were the salaries and performance ratings of every member of staff.

Ruiz-Matthyssen has vehemently denied any involvement and Slater + Gordon says it doesn’t believe she wrote the email.

But regardless of who sent the email, Slaters had just become the target of the biggest – and most audacious – hit job ever to strike a major ­Australian law firm, a devastating attack that is still reverberating through the legal world more than a week later.

The firm that made its name fighting compensation and personal injury cases has been opened up to a raft of claims from current and former employees.

The firm that proclaimed its expertise in running data privacy breach cases – including current actions against Optus and Medibank – had just become a victim of one.

And damningly, though perhaps unfairly, the Labor-leaning firm that positioned itself as the friend of the worker was revealed to be paying its chief executive $690,000 while a Melbourne legal assistant earned $22,916.

Within minutes of the email pinging Slater + Gordon inboxes, gobsmacked staff were poring over the salacious claims – and discovered how much their colleagues were earning.

“Jaw-dropping” was the expression many would later use to describe the email – and the impact of its arrival.

“Oh my God. This is wild,” one staff member recalls.

Was it a hoax? Had it been sent by accident, or deliberately, to destroy Ruiz-Matthyssen – or blow up the whole firm?

One thing was very clear: the author had an intimate knowledge of people at all levels of the firm – which was described as “a textbook case of dysfunction” – expressed in a string of poison-pen portraits.

The author was particularly scathing of CEO Dina Tutungi, whose primary focus was said to be “her own bottom line”. But it was a line about Tutungi’s dinner parties that struck many with its apparent insider access.

“If you’re lucky, you’ll get an invite to an ELT dinner at Dina’s mansion – complete with its own website, private chef, and an air of desperate excess,” the email said. “Last time, it was a tedious affair that fizzled by 8.30pm. No one could leave fast enough. But hey, maybe you’ll enjoy it.”

So astonished were some employees that they immediately forwarded it to friends and colleagues inside and outside the firm – a mistake many fear will come back to haunt them.

Tutungi herself is said to have admitted forwarding the email to a couple of board members, telling a staff meeting she was “kicking herself” because it could have been a cyber attack containing malicious software.

A closer look at the origins of the email, clearly sent from a private gmail address, would have rung alarm bells.

But for the moment, on that Friday morning, chaos reigned at Slater + Gordon.

“Just, like, panic,” says one staffer. “Dina got her executives to get on to speak with their groups, and the executives that had just been named in it. What sort of a request is that?”

Within half an hour, the firm’s IT department scrambled to wipe the email from the system.

By 11am all emails had been deleted – too late to stop it being forwarded 275 times within the company and 25 times to outside parties.

The firm began briefing staff in the same terms it would later use to the media – that what was presented as internal information in the email was “incorrect and in many ways a work of fiction”.

But some of the scandalous detail revealed in the poison-pen portraits was well-known to insiders. And the salaries listed, while dating back to November, were still current for most employees.

What also alarmed many staff was that the email reflected commonly held concerns about the future of the firm following its takeover in 2023 by equity fund Allegro.

“Morale is abysmal, money is haemorrhaging,” the email’s author declared in the “handover”.

“Allegro, true to private equity form, is gutting the place,” the email said. “Heads are rolling, and what remains is a skeletal crew barely keeping things together. The endgame? A polished-up shell to be sold off at the right price. Grim, but predictable.”

The firm was said to be “squeezing every cent out of the lowest-paid workers”, branding it “Big 4 tactics in what is meant to be a labour law firm”.

Even Key Community, the consultancy handling the transformation and values, has warned that the business is drifting too far from its roots, the email claimed.

It wouldn’t be until just after 4.30pm that day that PR crisis consultant and former Labor spinner Adam Sims responded to questions from The Australian, issuing a statement that Ruiz-Matthyssen was not the author or the sender of the email, that it was not her email address attributed, and she intended to report the matter to police.

Almost at the same time, Tutungi was addressing staff in an audio link-up, confirming Ruiz-Matthyssen had not sent the email and describing the episode as an “absolutely awful thing to have happened”.

Tutungi said the leaders and culture of the firm were the real target.

She claimed the data in the salary spreadsheet was wildly inaccurate, including her own reported salary of $690,00.

The email was sent from a gmail account in Ruiz-Matthyssen’s name, but also contained links to her Slater + Gordon email address. Investigators are working to determine if those links were fraudulently added to make it appear Ruiz-Matthyssen had sent information between the two accounts.

Ruiz-Matthyssen herself stayed silent until Monday when she issued a statement through lawyers categorically denying she had sent the email, and noting that “a cursory examination of the email and its attachment gave a clear indication as to the likely identity of the sender”.

The name of a former Slater + Gordon employee, sacked last year by Ruiz-Matthyssen, appears in the metadata of the salary spreadsheet.

But that person has emphatically denied sending the email, telling The Australian: “There’s no way I would have sent an attachment that had my name as the author.”

The ex-staffer said it was “distressing” that people believed she was the author of the email.

“Maybe someone has created a profile on their own laptop and used my name to create that report, or if someone had manipulated the metadata, or someone is using my old profile … to do it,” said the former employee, whom The Australian has chosen not to name.

“There’s no way I would have put my name in there, I’m very proficient in Excel, I wouldn’t have done that.”

The former employee claims her departure from the company was a mutual decision and is governed by a nondisclosure agreement. She said she had “two very brief” meetings with Ruiz-Matthyssen during her time at Slater + Gordon, including one involving her leaving the firm.

“Whoever it is who has written (the email) has a lot of inside knowledge but is also aware of the terrible culture,” the former staff member said. “The fact someone has used our names (means) they obviously want to point a finger at us as well.”

She said neither Slater + Gordon nor the police had been in contact with her since the email was sent.

Police from Victoria’s Cybercrime Squad have been investigating the case alongside the firm’s own IT forensic team, but say they are yet to find the culprit.

As late as Monday evening, some three days after the scandal erupted, Slaters was still telling The Australian a “hostile external actor” was still a plausible scenario, along “with one or more former employees or a group of current and former employees”.

No one believed it was a Russian mafia outfit or a Chinese cyber attack. It was a nonsense suggestion that angered many staff who already thought the company was not being transparent with them.

A pay parity process is now under way to deal with many employees discovering that colleagues have been paid better than them.

All of those named in the email have been offered “specialised support”, though it is understood many have not taken up the offer.

Staff say the firm is still struggling to get back on its feet.

A source within Slater + Gordon said senior management was attempting to “plough on” despite the consuming scandal, with Tutungi expected to front “values” workshops across the firm’s NSW offices next week.

“There was a lot of surprise that Dina is going to go around the offices in person. Is she kidding? Going around plodding along on some values workshop? How about the fact the whole company is supposedly being run into the ground by Allegro and all this stuff has been outed, and you’re going on about values? It’s a bit disingenuous, isn’t it?

“The company keep putting out quotes that the staff are the priority. But the staff don’t think they are a priority. There are many that feel that way.

“People are getting the information from the media, that’s how bad it’s been managed.”

The company says no client data has been breached but staff are concerned about the impact on the firm’s reputation as a cybersecurity expert, asking how it can run a data privacy case against Medibank or Optus “when we can’t even keep our own data private”.

The Slater + Gordon promotions process is usually under way now, but The Australian understands there has been no communication on that.

Usually at this time of year employees start preparing for end-of-year reviews and managers should be having conversations with their people before that, but there haven’t been any communications.

Slaters has asked the employees who forwarded the email to provide an explanation for why they did so, in a presumed attempt to track how the media became aware of it so soon after it was sent.

“Surely their focus should be on the actual investigation, not on the people in the firm who forwarded it on,” the source said.

“They’re saying the investigation is ongoing, but they need to provide an update. There’s more in the media than there has been from the firm.

“It’s hugely embarrassing for the people named in the email, but they are doing what they are told, continuing on as if it’s business as usual. The Slaters leadership group is meeting every other day – it was every day, now it’s every other day.”

In the meantime, Ruiz-Matthyssen is privately seething over what she feels was a failure by the firm to quickly and decisively state she was not ­involved, which allowed the crisis to escalate despite clear early indications the email had been ­manipulated.

Ruiz-Matthyssen believes Slater + Gordon made her “the sacrificial lamb” and is set to sue her former employer.

Legal sources said she may have a strong case, given the firm’s apparent failure to guard both its payroll information and its email system, allowing an outside email account to blind-copy hundreds of staff with sensitive information.

One legal source told The Australian: “They allowed this to get out of hand. Basic due diligence wasn’t done before they threw someone under the bus. Her reputation had been all but destroyed by the end of Friday morning.”

The vaunted law firm faces a long battle ahead to ensure its own reputation doesn’t meet the same fate, a path that will only get harder until it can answer the question: Who sent the email?