Some people who have had dealings with Australia’s privacy regulator were only informed this week that their personal information, including banking data, was caught up in the hack of the law firm HWL Ebsworth.
The Russian-linked ransomware group ALPHV/BlackCat hacked the law firm in April. In September the group published on the dark web 1.1TB of the data it claimed to have stolen – later established to be 3.6TB.
Among those affected were 65 government departments and agencies that HWL Ebsworth had provided legal services, including the Office of the Australian Information Commissioner (OAIC), which serves as Australia’s privacy regulator.
In a letter sent by the law firm to one individual this week, seen by Guardian Australia, HWL Ebsworth said data gathered in its capacity providing legal services to the OAIC was obtained via “unauthorised access to a portion of HWLE’s IT environment”.
“Unfortunately, the incident involved the theft of data from HWLE’s systems, and some of your personal information that is relevant to your dealings with the OAIC was taken as a result.”
The information obtained included name, encrypted messaging contacts, bank details, address and signature.
The letter notes that the firm took out an injunction in the New South Wales supreme court that “seeks to prohibit further access to, use, dissemination or publishing of the data disclosed on the dark web, including by the media”.
The injunction has meant those who had their data posted on the dark web could only find out from the company itself, resulting in the longer period before they were informed.
HWL Ebsworth said the reason it had taken six months since the hack to notify the individual was “because a very large volume of data was extracted but it was not immediately apparent the extent of the impact to personal information”.
“A complex manual review was needed to assess what personal information was involved and identify affected persons.”
Last month Australia’s national cybersecurity coordinator, Air Marshal Darren Goldie, defended the time taken to inform those caught up in the breach as a measure to avoid sparking anxiety.
“While there is some benefit in getting that information into the public domain early on, I made the decision to allow HWL Ebsworth to notify individuals through NDIS providers and caregivers first before making the information public,” he said.
Goldie said at the time that the government’s 16-week formal coordinated response to the attack had ended, but criminal investigations continued.
A spokesperson for HWL Ebsworth referred Guardian Australia back to previous statements made by the company. The company has previously said it had been attempting to inform those affected as swiftly as possible.
Guardian Australia has sought comment from the OAIC.
