Legal Practice Board suffers data breach, notifying data breach victims
October 3, 2025
The Legal Practice Board of Western Australia suffered a data breach on 21 May 2025. It claimed the incident was swiftly contained and it implemented changes to avoid a reoccurrence. In the subsequent 5 months it discovered that additional data was accessed by the cyber hacker in addition to that determined in May. Unfortunately that involved health, identity and financial information. Unusually for updates the Legal Practice Board has advised there is low risk of misuse of data because it believes the third party no longer has the Board data. That is far from the norm. Usually hackers hold onto stolen data unless they are convinced to destroy it or hand it back. In the context of ransomware attacks that invariably happens after payment of the ransom. Unfortunately the Legal Board will not share the basis for the belief. The Board also claims an injunction will prevent any access or sharing of data. That is more assertion than evidence. Injunctions are now becoming quite a standard form response to cyber atacks. Whether that slows the publication of data on the dark web or the sale of personal information is yet to be seen.
It is ironic that the statutory body responsible for standards and discipline of the legal profession in Western Australia has had its cyber security been found wanting. Even more interesting that it took 5 months to discover that more information was stolen than was previously thought. There is a problem there, either in the nature of the remediation, the resources provided for it or the process for notifying victims.
The Legal Pratice Board’s recent media release and the history of this data breach provides:
The Legal Practice Board (the Board) experienced a cyber incident in late May 2025 which resulted in some of our systems being taken offline, including our online website services.
Since this time, the Board has worked to restore and ensure the security of our systems, implement temporary manual workarounds where needed, and fully investigate the incident and potential data access. We would like to assure you that the incident was swiftly contained, and we have implemented a range of measures to prevent risk of reoccurrence.
Following a comprehensive investigation, the Board has determined that some additional data was accessed by the third party, beyond the small amount of information disclosed in May which was addressed at the time.
The Board is undertaking a detailed review of this data and on Wednesday 1 October, 2025, commenced notifying individuals whose health, identity and financial information was involved.
If you have not received a notification by email or post there is no action you need to take. Please note, emails may be sent to work or personal email addresses.
The Board is continuing to assess whether any other information was involved and will issue further notifications should this be required. This webpage will be updated when the data review and notifications are complete.
Importantly, the Board considers there is a low risk of misuse of the data involved, based on the following factors: