Hundreds of clients of law firm HWL Ebsworth, including dozens of government agencies, have been in discussions with the firm over whether highly sensitive legal information has been exposed.
The Russian-linked ALPHV/Blackcat ransomware group hacked the law firm in April. Earlier this month, the group published 1.1TB of the data it claimed to have stolen, later established to be 3.6TB worth of data.
An analysis of more than 1,000 contracts with HWL Ebsworth published on AusTender over the past decade revealed that at least 60 departments or government agencies have used HWL Ebsworth’s services including the Defence Department, Home Affairs, the Australian federal police, Prime Minister and Cabinet, Services Australia and the Fair Work Ombudsman.
The total value of the published contracts in the past decade alone adds up to almost $140m.
Many of the contracts are for the provision of legal services or advice but some detail much more sensitive work, including cases with the government insurance fund, Comcover, legal advice on monitoring the use of human embryos in research, and investigation into complaints of breaches of the public sector code of conduct at the Department of Veteran Affairs.
Guardian Australia reported last week that the agency responsible for the National Disability Insurance Scheme was also trying to confirm whether its client data was included in the hack, as HWL Ebsworth had represented the NDIA in coverage cases at the Administrative Appeals Tribunal.
The Digital Transformation Agency also said it was seeking to learn whether its own information may have been affected after having recruited HWL Ebsworth to conduct a privacy impact assessment for the former Morrison government’s digital ID legislation last year.
The minister for cybersecurity, Clare O’Neil, said on Friday she could not say which departments had been affected, but said it was a “significant incident” the government was deeply concerned about.
“I would place it in the realm of the most significant cyber incidents that we’ve experienced as a country over the last year, along with Latitude, Optus and Medibank,” she said. “What’s been really important with this particular incident is that the cyber incident response coordination function, which we have been building over the last eight months or so, was on the ground with this company from the very beginning.”
O’Neil made the comments in a press conference to mark the appointment of Air Marshal Darren Goldie as Australia’s inaugural national cyber security coordinator.
HWL Ebsworth told Guardian Australia last week it would not comment on specific clients, but said it was continuing to do a detailed and comprehensive review of the data as swiftly as it can.
Shadow cybersecurity minister James Paterson said in a statement Goldie’s appointment should have come sooner, saying he could have been in the role for what Paterson said was “one of the most serious data breaches affecting sensitive, and potentially classified, government information” in the HWL breach.
Paterson said the coordinator must be open and transparent in any investigation of the hack.
“The first task of the coordinator must be to get to the bottom of what government data has been lost in the HWL Ebsworth attack, the implications of the breach and how to mitigate them, and steps being taken to inform and support affected parties,” he said.
The concern over the hack goes beyond government clients, with National Australia Bank stating earlier this month that it was seeking information from the law firm over whether any of its own information had been affected.
HWL Ebsworth was also involved in the case around Virgin Australia’s administration at the start of the Covid-19 pandemic, but Virgin Australia said it has been assured by the firm its data is not included in the hack.
Prof Monica Whitty, head of department of software systems and cybersecurity at Monash University, said the hack should cause business and government to consider the cybersecurity risk of their suppliers closely.
“I think part of the problem is that a lot of organisations will use third parties in some way or another, but the consideration of their secure systems often doesn’t come into play,” she said. “So they may be keeping their own systems secure and thinking that’s enough. But when you’ve got third parties, you’ve actually got to think about and maybe ask the questions regarding their own cybersecurity practices.”
