Legal Practice Board suffers data breach, notifying data breach victims

October 3, 2025 |

The Legal Practice Board of Western Australia suffered a data breach on 21 May 2025. It claimed the incident was swiftly contained and it implemented changes to avoid a reoccurrence. In the subsequent 5 months it discovered that additional data was accessed by the cyber hacker in addition to that determined in May. Unfortunately that involved health, identity and financial information. Unusually for updates the Legal Practice Board has advised there is low risk of misuse of data because it believes the third party no longer has the Board data.  That is far from the norm.  Usually hackers hold onto stolen data unless they are convinced to destroy it or hand it back.  In the context of ransomware attacks that invariably happens after payment of the ransom.  Unfortunately the Legal Board will not share the basis for the belief.  The Board also claims an injunction will prevent any access or sharing of data.  That is more assertion than evidence.  Injunctions are now becoming quite a standard form response to cyber atacks.  Whether that slows the publication of data on the dark web or the sale of personal information is yet to be seen. 

It is ironic that the statutory body responsible for standards and discipline of the legal profession in Western Australia has had its cyber security been found wanting.  Even more interesting that it took 5 months to discover that more information was stolen than was previously thought.  There is a problem there, either in the nature of the remediation, the resources provided for it or the process for notifying victims.  

The Legal Pratice Board’s recent media release and the history of this data breach provides:

The Legal Practice Board (the Board) experienced a cyber incident in late May 2025 which resulted in some of our systems being taken offline, including our online website services.

Since this time, the Board has worked to restore and ensure the security of our systems, implement temporary manual workarounds where needed, and fully investigate the incident and potential data access. We would like to assure you that the incident was swiftly contained, and we have implemented a range of measures to prevent risk of reoccurrence.

Following a comprehensive investigation, the Board has determined that some additional data was accessed by the third party, beyond the small amount of information disclosed in May which was addressed at the time.

The Board is undertaking a detailed review of this data and on Wednesday 1 October, 2025, commenced notifying individuals whose health, identity and financial information was involved. 

If you have not received a notification by email or post there is no action you need to take. Please note, emails may be sent to work or personal email addresses.

The Board is continuing to assess whether any other information was involved and will issue further notifications should this be required. This webpage will be updated when the data review and notifications are complete.  

Importantly, the Board considers there is a low risk of misuse of the data involved, based on the following factors:  

  • While the data was subject to unauthorised access by a third party responsible for the cyber incident, based on our investigation we have reason to believe that this third party no longer possesses any Board data. 
  • We have not detected any disclosure of Board data (other than a small amount of low-risk data in May which was communicated about at the time and impacted individuals notified directly). Other than this limited disclosure, we have not detected any misuse of Board data. Dark web monitoring continues and if disclosure occurs, we will respond appropriately. 
  • In the unlikely event that the third party still holds Board data, we have obtained an injunction to prevent any access, dissemination or sharing of data involved in this incident.
  • We are also aware of media claims alleging the sale of the Board’s data to a member of the legal profession. We have investigated this and have found no evidence to substantiate these claims. 
  • Despite these mitigating factors, we have invested significant effort in reviewing information that was accessed to identify the kinds of personal information involved, and where steps can be taken by individuals to protect against potential misuse.

More information about notifications to individuals and the support options available are provided below, along with further details on the incident response, information relating to online services and the manual processing of practising certificates.

Incident background

On 21 May 2025, the Board experienced a cyber incident involving unauthorised access to a portion of our IT environment.  

As soon as the incident was detected, a response team was quickly mobilised, and work began to ensure the security and integrity of the Board’s systems. The incident was quickly contained, and a range of measures to prevent reoccurrence were implemented. The Board also implemented some temporary manual workarounds for its services while restoration works were underway.

While initial investigations were underway, the Board obtained an injunction to prevent any access, dissemination or sharing of data impacted by the incident. This injunction remains in place. 

On 27 May 2025, the third party responsible for the incident disclosed a small amount of data online which was removed within 24 hours following our takedown efforts. The disclosed data contained some limited contact information, some operational and resourcing information and bank account details for the Board, and a very small number of individuals who were directly notified.

The third party threatened to disclose more data on 15 June 2025. On 19 June 2025, the third party published a link to some data, claiming it related to the Board. The Board reviewed this data and confirmed that this data did not relate to the Board. 

The Board has not detected any further activity since 19 June 2025 and dark web monitoring remains in place.

The Board has been working with the relevant government agencies and law enforcement bodies in response to the incident, including the Office of Digital Government Western Australia, the Office of the Australian Information Commissioner (OAIC), the Western Australian Information Commissioner, the Western Australia Police Force and the Australian Cyber Security Centre (ACSC).

Following a detailed review to help determine what other information may have been accessed, the Board is now notifying individuals to provide tailored guidance and support options relevant to the data involved for them.

Involved data 

The Board has identified that some data (beyond the small dataset disclosed on 27 May 2025) was subject to unauthorised access during the cyber incident. The Board has not detected any disclosure of this information. 

Additionally, while this data was accessed by the unauthorised third party responsible for the cyber incident, based on our investigation we have reason to believe that they no longer possess any Board data.  

Notifications to individuals

The Board is undertaking a detailed review of this data and has commenced notifying individuals whose health, identity and financial information was involved. If you have not received a notification by email or post there is no action you need to take.

The Board is continuing to assess whether any other information was involved and will issue further notifications should this be required. This webpage will be updated when the data review and notifications are complete.   

Each notification statement outlines the support services available which are specific and tailored to the information involved for each individual. 

Operational update

The Board has been working to restore systems as soon as possible and implemented temporary manual workarounds to ensure we continued to deliver key services, including processing applications and renewals for Australian practising certificates. More information on this is provided below

What the data breach highlights is the enormous dislocation associated with a data breach.  The Legal Practice Board has not disclosed the cost of recovery, repair and remediation.  It will be considerable.  It has written to practitioners 16 times since 27 May 2025.  The reputational damage is also significant.  The latest development has been reported, and republished, by cyberdaily with Exclusive: Legal Practice Board of Western Australia begins notifying data breach victims.  The article highlights the danger of being overly optimistic with initial conclusions.  The Legal Practice Board initially suggested some limited correspondence was taken down and it contained minimal contact information.  So much for that rosy assessment.  

It provides:

Health, identity, and financial data of West Australian legal practitioners were compromised by a Dire Wolf ransomware attack in May.

 

The Legal Practice Board of Western Australia (LPBWA) has said it has begun notifying individuals whose data was compromised following a cyber attack performed by the Dire Wolf ransomware gang in May.

“Following a comprehensive investigation, the Legal Practice Board of Western Australia (the board) has commenced notifying individuals whose data was involved in a cyber incident earlier this year,” a board spokesperson said in a 1 October statement.

“The board has confirmed that its investigation into the cyber incident has determined that some additional data was accessed beyond the small amount of information disclosed in May, which was addressed at the time.”

The board said that some of those affected by the data breach were legal practitioners and that the data impacted includes health, financial, and personal information.

“The board advises that it is continuing to assess whether any other information was involved and will issue further notifications should this be required,” the board said.

“Importantly, for those with information involved, the board has confirmed that it has not detected any disclosure of data other than the data disclosed in May. This data was also removed within 24 hours following takedown efforts. The board continues to monitor the dark web for any further disclosures and will take appropriate action as required.”

Dire Wolf’s leak site still features LPBWA’s leak post, where it claims to have stolen 300 gigabytes of data; however, the link to the published data is non-functional at the time of writing.

Libby Fulham, the LPBWA’s executive director, said the board “takes the protection of the data we hold very seriously”.

“We have undertaken a comprehensive investigation and are conducting a detailed review of the data involved in this incident to ensure we can provide individuals involved with tailored guidance and appropriate support,” Fulham said.

“I would like to assure our stakeholders that we have not detected any disclosure of any data beyond that disclosed in May. From our investigation, we believe the risk of any disclosure or misuse of data to be low. We have also secured an injunction to prevent any access, dissemination or sharing of any data involved in this incident.”

Fulham said she understands such data breach notifications are a cause for concern, and apologised for any distress caused by the incident.

“We are committed to doing all we can to support those individuals involved and have implemented a number of services to ensure timely advice and support is available, tailored to individual needs,” Fulham said.

The board has also been working to restore online services that were disrupted by the attack and has been using manual workarounds to continue processing practising certificates.

Cyber Security Western Australia, which is part of the Office of Digital Government in the Department of Premier and Cabinet, has been working closely with the board throughout its response.

Wolf attack

The Dire Wolf ransomware attack took place on 21 May, with the hackers sharing details of the hack on 26 May. Limited sample data was published at the time, which the board confirmed was legitimate.

“Some limited corporate correspondence was disclosed on Tuesday, 27 May, which was removed within 24 hours following takedown efforts,” Fulham told Cyber Daily in August.

“This correspondence contained minimal contact information, some operational and resourcing information, and bank account details for the board and a very small number of third parties who have been directly notified.”

A further data set was published by the hackers on 19 June; however, this data, according to the board, was not related to the LPBWA.

Leave a Reply