Peter A Clarke

Large data breaches are rarely resolved quickly. That is why I am so surprised that organisations with the means and structures are so complacent with their data security. The focus is minimal compliance rather than security that is fit for purpose. The HWL data breach will be a long and excruciating process. The latest development is that data belonging to NAB have been found on line. See the Australian’s story NAB the latest to be confirmed as victim of HWL Ebsworth hack, with bank data leaking online . Beyond the revelation that the NAB has been affected the article itself is something of a reheating of earlier reporting. 

NAB has been motivated to issue a statement which provides:

“We are aware that HWL Ebsworth, a law firm engaged by NAB for some legal services, has been impacted by a cyber-attack. NAB’s systems were not impacted and remain secure. We are working with HWLE as they continue to get more information in relation to the content of these matters.”

There will be more statements like this from affected HWL Ebsworth clients (or ex clients). 

Based on the limited information provided to date it appears that the transfer of documentation from clients to the firm was not through access provided to the firm, as often happens with third party services providers working with an entity.  In those circumstances the danger is the initial hack will give rise to another hack as permissions and authorisations are stolen and used to access the other organisation.  Here HWL Ebsworth and its clients probably adopted the more traditional, and logical, means of transfer of documents.  The clients provided Read the rest of this entry »

it is usual practice for hacker gangs to publish names and other data taken from an organisation if a ransom is not paid. Sometimes it is done even without a demand for ransom. It is a malicious act but that is what criminal gangs do. So it is hardly extraordinary that Black Cat has done that with the data stolen from HWL Ebsworth. In that case it has published only a third of the data stolen. That is possibly because Black Cat retains hope that a ransom will be paid for the balance of the documents or that it wants to extend the pain it wants to inflict upon HWL Ebsworth. Another well practised option is to negotiate with organisations and agencies affected by the data breach. Alternatively it could sell the remaining data to interested players. It is impossible to say and Black Cat is not in the business of advertising its moves so it is a matter of wait for the next move. And it will come.

The BBC reports in Hacker gang Clop publishes victim names on dark web on another instance of he odious practice of publishing names on the dark web as a result of a mass hack. It is a slightly different approach, posting names rather than a document drop per se. Publish the names before public disclosure of the stolen data. Clop found a zero day vulnerability on the MOVEit site.  Because MOVEit is a platform designed to transfer data between organisations Clop had access to masses of data stored on MOVEit’s platform which it stole. The data belonged to a number of organsiations and institutions.  Bleeping Computer covers the story well with Clop ransomware gang starts extorting MOVEit data-theft victims. 

There is a strong similarity between the HWL Ebsworth and the MOVEit data breaches.  In both cases the value to the hackers of the data stolen is that it comes from a range of entities rather than the data belonging to the entity breached.  In HWL Ebsworth’s case Black Cat downloaded data belonging to clients and other entities from 2,000 data sites within the firm’s system.  In MOVEit’s case Clop stole data from its platform.  The intent is the same, using Read the rest of this entry »

The HWL Ebsworth data breach saga is following a familiar trajectory involving a significant loss of data; announcement of the data breach, statements about working with the Australian Cyber Security Centre and other authorities, details slip out about how much material was lost, indications in a general statement about what personal information is involved (so far that includes dates of birth, drivers licences and names) and steps taken to remedy the breaches. That is a fairly familiar trajectory. This data breach has other features which makes it a less standard data breach; the focus is not on data generated by the firm but rather that collected from clients or otherwise related to the provision of legal services, that the sensitivity of the information is, seemingly, more related to government information rather than personal information and that third parties, especially government departments, are becoming very active to work out the extent to which the data breach affects them directly. The Australian reports in Data on secret missile testing site, attack helicopters and police operations stolen by hackers that the hackers have stolen files relating to military testing, police intelligence and government procurement. That data is of great interest to state players such as Russia and China and pretty much anyone else in the Indo Pacific region. It is hardly controversial that Australia’s friends collect data about the Australian government. That has always been part of the unspoken role of overseas embassies.

The Office of Australian Information Commissioner released a belated statement on the data breach, and reported here, providing:

On 8 May 2023, HWL Ebsworth reported a data breach to the Office of the Australian Information Commissioner (OAIC) in the OAIC’s capacity as regulator of the Notifiable Data Breaches scheme.

HWL Ebsworth provides legal services to a range of Commonwealth clients, including the OAIC.

On Saturday 10 June, HWL Ebsworth advised the OAIC that a document or documents relating to a limited number of OAIC files were included in the breach experienced by HWL Ebsworth.

HWL Ebsworth is currently providing further information to the OAIC about those documents. The OAIC will review those documents to see whether they contain personal information, and, consistent with requirements under the Notifiable Data Breaches scheme, will notify affected individuals where necessary.

The OAIC’s systems have not been compromised.

The statement begs more questions than it answers. The data breach was reported in early May and the Australian Financial Review has been covering the story regularly. It is difficult to understand how in the 5,000 hours HWL Ebsworth claims it has spent on the data breach could not have notified the Commissioner earlier than 10 June. And it could have gone into specifics more than “a document or documents” about a “limited number of OAIC files” . The statement leaves open the conclusion that HWL Ebsworth has not completed its task vis a vis the OAIC files. That is extraordinary. It has been 6 weeks since the firm was advised about the data breach. The opaqueness of the statement makes it almost meaningless except if the intention is to make a statement.

Many organisations have quite good outward looking cyber security, providing a hard shell against cyber attacks. A cyber wall surrounding a site so to speak. Unfortunately that is all too often the limit of the defences. Those defences are lineffective when hackers acquire valid authentications from an employee, as appears to be the case here, and enter the system.  Many organisations have very poor systems established for monitoring suspicious network activity or internal protections such as silos of information requiring separate authentication. In the case of the HWL Ebsworth data breach apparently Black Cat accessed the drives of 2,000 employees and copied what was there. How that could happen without raising any sort of alarm is a concern.

There are programs which can identify involving abnormal access patterns, database activities, file changes, and other out-of-the-ordinary actions. Those are indicia of Read the rest of this entry »

.

With large organisations/firms/government data that are comrpromised often belong to third parties such as clients or other organisations. With law firms that involves information provided necessary to permit advice work or litigation. And so it is with the HWL Ebsworth data breach. Which has led to the inevitable round two of the data breach, the clients of the firm doing damage assessments of what has happened to their data. The Australian reports in Fears government data has been stolen by cyber criminals grow as law firm’s clients are revealed that government departments have set up committees to determine the extent of the damage. And not before time.  Black Cat has not released 2/3rds of the data it exfiltrated. That is likely to happen at the most inopportune time given HWL Ebsworth has stated it will not pay a ransom. 

The Australian article provides:

The Albanese government has established a crisis group to examine what commonwealth data has been stolen by Russian-linked hackers who infiltrated the systems of HWL Ebsworth, the giant law firm that has tens of millions of dollars of contracts across at least 40 government departments and agencies. Read the rest of this entry »

Artificial intelligence has the world aflutter.  The clear benefits that have already been demonstrated ahve been accompanied by panicked calls ranging from banning it, akin to putting the toothpaste back in the tube, to heavily regulating it.  The European Union is opting for the regulation route.  The European Parliament has just passed the first regulation for use of Artificial Intelligence. It is reported by Foreign Affairs with EU Lawmakers Pass Landmark AI Regulation Bill. Australia is in the very early stages of considering regulation of Artificial Intelligence.  It is an almost foregone conclusion that there will be some form of regulation and it will impact on privacy law.

The European Parliament’s media release Read the rest of this entry »

Major data breaches result in major outlays in rectifying and remedial action, not to mention reputational damage. And the time in bringing some sort of resolution is extraordinary. As the Australian Financial Review reports in HWL Ebsworth says it has spent 5000 hours fighting hack that the firm had spent 5,000 hours and it had cost $250,000 fighting Black Cat that had breached the firms cyber defences and exfiltrated 4 tera bytes of data without its knowledge. In fact when the firm was first contacted by Black Cat on 28 April 2023 the overture was dismissed as spam.  The clearly inadequate and poor cyber security practices morphed into farce with this turn of events.

According to the report, which is based on affidavit material filed with the New South Wales Supreme Court:

• the data related to hundreds of clients
• covers a period of at least 5 years.
• the personal information includes:
  • health records
  • financial details
  • sensitive information as defined in the Privacy Act
• McGrathNicol had been paid $250,000 for their services so far with the prospect of more payments forthcoming
• law firms and businesses have been trawling through Black Cat’s data dump.

The order has not been made public.  The ineffectiveness of an order restraining  Black Cat from releasing the rest of the stolen data is obvious.  It is a criminal group located outside of Australia, most likely in Russia.  The orders against those who might use the data already released may be of more force if those individuals are in Australia.  For those acting with nefarious intent, again a contempt of court prosecution figures low amongst their concerns.  The terms of the orders against “any further broader access to or dissemination” of the data have bite as they apply to media who could report on what data was released and from where that data was collected.   And to a large extent that is the point of the injunction.  It restrains publication of the nature of the data that has been stolen and released.  Such reporting would damage HWL Ebsworth significantly but also its clients who provided that information.

How such a broad range of data from hundreds of clients could have been so effectively stolen without any alarm being sounded will no doubt be a question the Read the rest of this entry »

As they say, “you couldn’t make this up.” The Office of the Australian Information Commissioner has suffered a data breach according to the Australian’s Peak privacy agency the latest to fall victim to Russia-linked cybercrime gang through the hacking of of HWL Ebsworth’s website. The regulator has regularly engaged HWL Ebsworth to provide legal services. That entails providing information for use by the law firm. And it is at least some of the information that has been compromised. While the Commissioner cannot be blamed for providing information to its trusted legal advisor it might be interesting to know whether the Commissioner enquired of HWL Ebsworth the privacy training it did of its staff and the state of security of documents it held under its control. Normally a victim’s answers to such questions are unsatisfactory. The Commissioner is being tight lipped in its initial response. The concession was made that if personal information collected was compromised then those persons would be notified.

This must be mortifying for the Commissioner. 

At some point the Commissioner would need to provide more than guarded comments. There is a question of making the public trust the integrity Read the rest of this entry »

In late April Russian hackers successfully launched a ransomware attack against HWL Ebsworth, a national Australian law firm. On 30 April it made demand for a ransom. The ALPHV/Blackcat ransomware group posted on its website that 4 tera bytes of data had been hacked. The contents included employee CVs, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map. As has become usual the firm responded to enquiries by stating that it had contacted the Australian Cyber Security Centre and will work with them. Further details were scarce. Nothing unusual in that. It has become a standard deflector shield against further enquiry.

That was in early May. But ransomware hackers don’t really care about what their victims say. Particularly hackers as effective as BlackCat. On 11 May the Australian Financial Review reported that the Ebsworth data was posted on BlackCat’s site on the dark web. The AFR also reported that clients, including the Commonwealth Bank, La Trobe Financial and ING Bank, had removed their files from the firm. Given the likely entry point for the hackers was via an email received on a staff member’s personal device this is a massive loss of billings and reputation for what was likely a preventable data breach. Human error is the cause of a vast majority of data breaches. And that human error is often caused by poor training and supervision. The fact that the firm only became aware of the hack when the hackers advised of the theft of data points to poor internal security. That 4 terabytes of data could be exfiltrated from various data banks of the firm points to no or inadequate programs to monitor and respond to unusual movements of data. Given that HWL Ebsworth is the largest firm by partner size that is quite extraordinary.

On 9 June the ABC reported that BlackCat had published published 1.45 terabytes of data on the dark web with a statement “ENJOY”. That happened after the demand for ransom payment within 10 days expired without any payment being forthcoming. As the ABC article makes clear the impact of the data breach goes beyond impact of personal information of staff and financial records.  It goes to personal information and other sensitive material belonging to clients such as government agencies and commercial institutions.  That leads to them having to take proactive measures to determine the extent of the loss of their data and what steps they need to take to advise their clients or other persons.  Law firms such as HWL Ebsworth hold masses of sensitive and personal information belonging to clients. The Tasmanian Government has reported suffering a possible data breach linked to the attack on HWL Ebsworth.

Given the nature of the data breach HWL Ebsworth’s focus is on dealing with clients whose clients or employees may have been affected rather than a broad notice to a set group of people.  That has been the tenor of its response to enquiries.  While that is understandable HWL Ebsworth has maintained a very restrained response.  As overseas experience and the Optus and Medibank data breaches attest that is not generally a good strategy.  Clearly given constraints on confidentiality apply however a broader explanation is often better than bromides, which is the nub of the response to date.  Given BlackCat has not finished with HWL Ebsworth it Read the rest of this entry »

Data breaches through the release of personal information by government and organisations is all too common. It commonly happens when documents are released without properly being reviewed and redacted. A typical example is releasing medical records which contain details of third parties. Police which collect mass of information in investigations can release information which identify witnesses. And this is what happened in the United Kingdom when the Thames Valley Police released details which led to suspected criminals learning the address of a witness. This resulted in the Information Commissioner’s Office issuing a reprimand to Thames Valley Police (TVP). This forced the witness to moved house.

As is often the case the ICO found that TVP did not have appropriate steps, such as training, in place to ensure officers were aware of guidance around disclosure and redaction. There was also insufficient oversight of the process in Read the rest of this entry »

The Verizon’s 2023 Data Breach Investigations Report finds that ransomware was tied to 16% of all data breaches. That is double compared to last year’s report and that ransomware continued to be a factor in 24% of all data breaches. Interestingly in 93% of security incidents involving ransomware, victims reported no financial losses, at least based information submitted to the FBI. The remaining 7% of victims reported a median loss of $26,000. That was double what victims reported two years prior.

The overall costs of recovering from a ransomware incident are increasing while the ransom payouts are lower. This is due to the increase of automation and efficiency of ransomware operators.

The question of paying a ransom is vexed. Ransoms are paid and more often than observers think. Sometimes the hackers abide by the agreement and provide the key which unlocks the data. Sometimes the hackers behave like the criminals they are and take the ransom and provide no key and in fact release the data they exfiltrated from the site, if that was part of the data breach. Some provide the keys but upon unlocking the owner finds the ransomware program has damaged the data. Regulators generally advise against paying ransoms but acknowledge that it is a reality.

The Australian Government is considering making ransomware payments illegal. This has been met with some push back by cyber insurers. The Australian Business Council of Australia has called for a Safe Harbour. This has been reported by the Australian Financial Review at Businesses call for ‘safe harbour’ during major cyber incidents.

The BCA Read the rest of this entry »