Australia’s largest law firm data breach - Lessons for the legal profession
This article was first published on the Law Council of Australia’s Law Management Hub.
The 2023 cyber incident affecting HWL Ebsworth was hardly the first data breach to have an impact on an Australian legal practice, but it was the largest and most devastating in terms of impact across individuals and sectors.
About 4 terabytes of data (or roughly 2.2 million files) was reportedly exfiltrated, a form of security breach that occurs when data is copied, transferred, or retrieved from a computer or server without authorisation. The firm received a ransom demand, which it resisted paying, after which 1.4TB of firm and client data was published on the dark web.
Confidential information belonging to numerous clients and other parties was disclosed in the breach, including data from at least 62 government departments, the four big banks and numerous individuals. Information breached ranged from national security matters and legal advice given in litigious matters to information relating to vulnerable persons, including people with a disability, victims of crime, and sensitive employment and medical information relating to specific legal matters.
As a client of the firm, some of my own business information was exfiltrated in the incident, but not published, and through casual conversations I am aware of others who have similar stories. So, clearly the impact spread far and wide.
HWL Ebsworth was the victim of a serious crime committed by serious criminals and the incident underscores the vulnerability of legal practices and their clients to cybercrime and, in particular, data theft and cyber extortion.
As someone experienced in managing the fallout of cyber events, I am conscious of the sensitivities in writing about this topic, especially for the many highly respected practitioners and staff at the firm and those who have needed to carry an enormous and difficult load as a result of the malicious conduct of cybercriminals who profit from harming others.
However, this incident has many important lessons for the legal profession in terms of how such an incident should be managed and for that reason, after thinking long and hard, my feeling is that the profession needs to discuss this breach and come to grips with what it means for us all.
This article focusses on some of the lessons that can be learned in terms of the prevention, preparation for and mitigation of similar events that could affect other law firms and, indeed, all organisations today.
What happened?
On April 26, 2023, the cybercriminals, or ‘threat actors’, sent messages to HWL Ebsworth via email. Claiming to be from a group named ALPHV, also known as Blackcat, a Russia-based ransomware organisation, they claimed to have infiltrated HWL Ebsworth’s computer systems and stolen data from the firm’s files. About 4 terabytes of data was reportedly exfiltrated.
On April 28, 2023, HWL Ebsworth received an extortion demand of US$4.6 million with three days to pay. The threat actors said, “We warn you that if payment is not made, the information will be published in the public domain … Remember, your organisation is only valuable to you.”
To ascertain the facts and to retrieve its data, HWL Ebsworth communicated with the threat actors through the dark web forum that the actors had used to communicate with the firm. From these communications, HWL Ebsworth ascertained that the threat actors probably had in their possession the HWL Ebsworth files and data as claimed by the hackers. The firm resisted the extortion demand and on June 9, 2023, the threat actors published 1.4TB of HWL Ebsworth and client data on the dark web.[1]
Injunctions sought by HWL Ebsworth
On June 9, 2023, HWL Ebsworth filed a summons in the Supreme Court of NSW seeking urgent relief against ‘Persons Unknown’, restraining them from dealing with the exfiltrated data by placing it on the internet, transmitting or publishing it, using it for any purpose, or facilitating its publication, without HWL Ebsworth’s consent. On June 12, interlocutory relief was granted and the orders were served on the threat actors via email (the response received from the hackers is not printable here).
On February 12, 2024, HWL Ebsworth obtained default judgment, including the grant of a permanent injunction preventing the publication of confidential information. Before the interim injunction was granted, some media reports contained links to the stolen data set that had been published online.
While it might at first instance seem pointless to seek orders against cybercriminals, the injunctions were effective in preventing secondary publication of or access to the data set by law-abiding persons and organisations, such as media organisations or clients searching to see if their own materials had been published. This served to maintain the confidential nature of the documents, which was obviously important for clients and others whose information had been published.
Although the injunction proceedings may have been the first time this approach was taken in Australia, similar proceedings had been taken before in Ireland and the United Kingdom.
Disclosures to those affected
The injunction meant those who had their data posted on the dark web could only find this out from HWL Ebsworth itself, meaning a significant delay before they were informed given the volume of information that was affected.
Entities subject to the Notifiable Data Breaches regime under the Privacy Act 1988 are required to conduct an assessment of ‘suspected’ eligible data breaches and to take reasonable steps to complete this assessment within 30 days. However, the Guardian reported that some individuals were not informed for up to six months that their information was breached (proposed changes to the Privacy Act will reduce the mandatory timeframe to 72 hours).
In September 2023, Air Marshal Darren Goldie, then Australia’s national cybersecurity coordinator, defended the time taken to inform those caught up in the breach as a measure to avoid sparking anxiety.
“While there is some benefit in getting that information into the public domain early on, I made the decision to allow HWL Ebsworth to notify individuals through NDIS providers and caregivers first before making the information public.”[2]
As a result of the high-profile data breaches affecting Australian organisations in 2022 and 2023 due to cyber events, the government and the Office of the Australian Information Commissioner (OAIC) have identified the security of personal information as a regulatory priority and the OAIC is prioritising regulatory action that addresses areas where there is the greatest risk of harm to individuals.
On February 21, 2024, the OAIC commenced an investigation into HWL Ebsworth’s acts or practices in relation to the security and protection of the personal information it held, and the notification of the data breach to affected individuals.
HWL Ebsworth has said that the threat actors were able to access the network via a junior employee’s computer (there is no suggestion this was anything other than accidental or inadvertent). While multi-factor authentication, or MFA, is highly useful in securing accounts, there are various techniques that cyber-criminals can employ to get around MFA.
HWL Ebsworth has said this is what occurred, although the firm was unsure what technique was employed.
General comments
In the digital era, the traditional emphasis on keeping information ‘just in case’ needs to be replaced with a philosophy of ‘if we don’t need to keep it, get rid of it’.
The National Office of Cyber Security’s Lessons Learned Review* following this incident specifically referred to the need for consistent and accurate public communications, which are important in developing and maintaining transparency and trust.
There is a need for transparency in communications and preparations with such incidents, including preparing communications in advance.
Ideally, firm leaders should role-play the crisis management of an incident; for example, in a cyber-incident tabletop exercise, and build ‘muscle memory’ before such an event occurs.
Next, while it may be understandable to focus on the firm’s biggest clients in a crisis, the very nature of legal services means that law firms collect sensitive data relating to many people and organisations, some of whom may not be clients. Notwithstanding that these events are serious crimes, there are nevertheless a range of legal, fiduciary and professional duties that continue to be owed despite very difficult circumstances (and regulators will be watching).
Lastly, cyber education that focusses solely on warnings about phishing emails can become a tedious ‘tick the box’ exercise where staff jump through the programs, which are viewed as a compliance curse that serve no meaningful purpose.
Instead, it is important to build a cyber-aware culture where lawyers and support teams are made aware of different types of threats as they continue to evolve.
Managing cyber risk is ultimately everyone’s responsibility in a law practice and, sadly, one that will be an ongoing and daily issue.
Simone Herbert-Lowe is the founder and legal practitioner director of Law & Cyber, a provider of cyber-resilience education and cyber tabletop exercises for executive teams.
* The key review findings
In the executive summary of the National Office of Cyber Security’s - Lessons Learned Review into the HWL Ebsworth incident, NOCS noted that a
“coordinated response to the incident was effective and supported HWL Ebsworth and impacted government entities to manage the consequences of the incident”.
It highlighted the importance of the following actions in combatting cyber threats:
Central coordination and consequence management functions, like those in the NOCS, objectively reduce the burden on impacted entities.
Consistent and accurate public communications are important to developing and maintaining transparency and trust.
Forums for genuine government-industry engagement in responding to a cybersecurity incident build trust.
Expectations around timely and accurate data analysis should be managed considerately.
Accurate and careful management of working group membership is integral to an effective response.
Consideration should be given to including broader groups of stakeholders in the coordinated response, including both public and private sector-impacted entities.
Timely sharing of identity credential information to government issuing agencies can help to minimise ongoing harm to individuals.
The ongoing role of some regulatory agencies in coordinated consequence management requires careful consideration.
[1] This chronology is taken from the judgment in the legal proceedings commenced by HWL Ebsworth against “Persons Unknown” issued on 12 February 2024, in which HWL Ebsworth obtained orders restraining the defendants and any third party made aware of the orders from publishing or using any information contained in the stolen data set.
[2] In February 2024, the National Office of Cyber Security published its “Lessons Learned Review” into the 2023 HWL Ebsworth cyber incident, which is available here.
AUTHOR
Simone Herbert-Lowe
Simone Herbert-Lowe is the founder and legal practitioner director of Law & Cyber, a provider of cyber-resilience education and cyber tabletop exercises for executive teams.