Sixty-five Australian government departments and agencies were victims of the cyber-attack on legal firm HWL Ebsworth, the national cybersecurity coordinator has revealed.
In a speech on Monday, Air Marshal Darren Goldie also revealed that some people and clients with personal information exposed in the hack have yet to be informed.
The Russian-linked ALPHV/BlackCat ransomware group hacked the law firm in April. Earlier this month, the group published 1.1TB of the data it claimed to have stolen, later established to be 3.6TB worth of data.
In June, an analysis by Guardian Australia of more than 1,000 contracts with HWL Ebsworth published on AusTender over the past decade suggested that at least 60 departments or government agencies that used the firm’s services could have been caught up in the hack.
On Monday, Goldie confirmed 65 agencies had been caught up in the incident.
“As of 18 September 2023, a total of 65 Australian government entities have been impacted, as direct clients of the firm through its legal and consulting services. A large number of private sector clients were also affected,” he said.
“I stress that these agencies were clients of HWL Ebsworth and did not suffer a cyber incident themselves.”
Goldie said after 16 weeks of support, it was “an appropriate juncture” for the Australian government’s formal coordinated response to the incident to end, “with HWL Ebsworth now able to manage its response without formal assistance from the Australian government”.
He said individual agencies would continue to assist affected clients and the investigations under way by the Australian federal police and Victoria police would continue.
Goldie said he would now lead a review with HWL Ebsworth and stakeholders from federal, state and territory governments on lessons learned from the incident that would inform the way governments respond to future attacks.
Guardian Australia reported in June that the National Disability Insurance Agency was scrambling to determine whether its sensitive client information had been caught up in the hack, given that HWL Ebsworth represented the NDIA in appeals cases.
In a speech at a summit hosted by the Australian Financial Review on Monday, Goldie confirmed clients were caught up but revealed he held off informing the public quickly to avoid sparking anxiety in those potentially affected.
“While there is some benefit in getting that information into the public domain early on, I made the decision to allow HWL Ebsworth to notify individuals through NDIS providers and caregivers first before making the information public,” he said.
He also confirmed the Australian federal police and the Department of Home Affairs were victims of the hack, while also being agencies responsible for investigating it.
A spokesperson for HWL Ebsworth said the firm was nearing the completion of its review of the information in the hack, and has been attempting to inform those affected as swiftly as possible.
“This has not been a simple or quick task as the data set is large and unstructured and includes a complex mix of different types of documents and information,” the spokesperson said. “We continue to be cognisant, however, that clients and other potentially impacted individuals and parties will be concerned to understand what data of theirs is impacted. We are nearing completion of that process.”
Goldie said in total around 2.5m documents were taken, with about 1m posted on the dark web.
The firm obtained a non-publication order in the New South Wales supreme court in an attempt to prevent dissemination of the data posted on the dark web. The case against the unidentified hackers is due to return to court in early November.
BlackCat was one of the top three ransomware groups targeting Australia, according to a recent study by cybersecurity firm Palo Alto Networks. The group is paid to hack others and has been active since late 2021. Cybersecurity company Sophos said the group has consistently targeted large organisations.
