Lessons from the HWL Ebsworth Data Breach

The HWL Ebsworth data breach has sent shivers down the spine of every professional consulting firm in Australia.

So, what happened, who was affected, and what did HWL Ebsworth (HWLE) do? And what lessons can we learn from what we know so far about the breach?  

Background on the HWL Ebsworth Data Breach  

Commercial law firm HWLE is Australia’s largest legal partnership, with 278 partners and 1400 staff.  

On 28 April 2023, the firm was alerted that cybercriminals had potentially stolen large chunks of client data. Chief strategy officer Russell Mailler said that when the hackers first emailed HWLE on 28 April, “it was reviewed and dismissed as spam due to its nature”. (More here.)  

It’s unclear when the exfiltration occurred and how long it had been going for before it was ‘discovered’ in April. But it’s likely it went on for some time. More than 4 terabytes of data were reportedly taken.  

According to HWLE, its first act was to engage cyber experts to help with the response – to investigate the incident and undertake containment and remediation actions. That engagement confirmed that the well-known ransomware group ALPHV BlackCat had accessed and exfiltrated information. HWLE has confirmed that the system comprised was a confined part of the firm’s systems, not its core document management system. (In June, it was reported that those experts had already been paid $250,000 for their data breach response support, which would increase.)  

The Ransom Demand

In May 2023, it was reported that HWLE was being asked to pay a ransom, said to be $5 million. That advance was rebuffed. On 8 May 2023, HWLE notified the OAIC of the incident.  

The ALPHV BlackCat group maintained regular contact with the firm over the next six weeks until a “final warning” was delivered on 3 June.  

Given its stellar customer list of government agencies and top corporates, it is unsurprising that HWLE elected not to pay a ransom. According to the HWLE release:  

“HWLE continued not to respond to, or otherwise engage in any way with ALPHV, and was not prepared to entertain paying the ransom or enter into any negotiations with respect to that ransom demand.”  

 On 9 June 2023, HWLE apparently became aware that some of the stolen data had been published on the dark web – at least 1.4TB of data (out of the total 4TB of data that has been taken). According to information included in affidavits lodged in support of the injunction application (see below) the stolen data related to hundreds of clients and spanned at least five years. The published data included material subject to legal privilege and confidentiality orders by courts, trade secrets and commercial strategy information. Specifically, it included:   

• Company credentials.   
• Credit card information.   
• Loans data.   
• Customer identification.   
• Customer insurance documents.   
• Internal company data.   

The Financial Review reported that the likely cause of the breach was human error, just like the Medibank attack. It’s believed that the cybercriminals gained access to HWLE’s server in Melbourne through compromised employee credentials.    

Who did HWLE notify of the breach?  

Given the scale of the breach and the sensitivity of the data impacted, it’s not surprising that HWLE quickly notified a range of different federal agencies. HWLE has reported that:  

Since day one, we have worked closely with the government and all relevant authorities – including the Australian Cyber Security Centre and law enforcement agencies in their ongoing investigation into the incident.   

The NCSC

According to the HWLE update, they ‘actively engaged with the newly appointed National Cyber Security Coordinator (NCSC) Air Marshal Darren Goldie, since his first day in the role, to provide him with a holistic picture of the incident and the actions we are taking.’    

The NCSC role was created as part of the government’s response to the Optus, Medibank and Latitude breaches. (More here on the role of the National Cyber Security Coordinator). The NCSC started in early July, so it got straight on the job dealing with the HWLE breach (by that time, some three months after the identification of the breach).    

The OAIC

According to the OAIC, it was notified on 8 May, over a week after HWLE were alerted of the breach via the dark web post. According to HWLE, they continue to keep the OAIC updated. It remains to be seen whether a formal OAIC investigation will be undertaken.  

Other Departments & Agencies

As well as the NCSC, the ACSC and the OAIC, the federal Department of Home Affairs is also investigating the extent of the breach, including exposure of the Australian Government’s information, including personal information. According to HWLE, they are also working closely with the Legal Services Working Group, comprising representatives from across the Commonwealth and State and Territory governments, coordinated by the Department of Home Affairs.’  

Impact of the Data Breach on HWL Ebsworth’s Clients  

Who Has Been Affected?

HWL Ebsworth client list includes a “who’s who” of Australian federal and state government agencies, banks, and large businesses.  

All four big banks (Westpac, NAB, the Commonwealth Bank, and ANZ) confirmed that they are clients of the firm and may have had data stolen. However, only NAB has so far confirmed that their data has been impacted.

Federal government agencies feared to have been impacted include Home Affairs, the Australian Federal Police, Australian Taxation Office, Department of Defence, Department of Foreign Affairs, and Commonwealth Director of Public Prosecutions.  

Other organisations whose data was involved in the breach include:  

• The federal Fair Work Ombudsman: The Fair Work Ombudsman reported that a limited number of files were included in the HWL Ebsworth breach, and that it was working with HWLE to notify affected individuals as a priority. More here.  
• The Tasmanian government is exposed to the data breach and was notified of that exposure by federal authorities in early June. More here.  
• L egal documents from the Victorian Government have been released .  
• The Queensland government also confirmed that some of its files were involved.   

What Is The Impact?

Impacted organisations are concerned about the contents of the data that has been revealed so far.    

There is also a risk that the affected clients will receive ransom demands from Black Cat. Since HWL Ebsworth has refused to pay the ransom, the gang may elect to go after the clients individually and request payment in exchange for their data being deleted.   

The Cl0p ransomware gang has recently used this strategy to get paid following its (massive) MOVEit hack.   

 HWL Ebsworth is working with Australia’s national identity and cyber support community service IDCARE to support impacted people.  

HWL Ebsworth’s Injunction  

HWL Ebsworth applied to the NSW Supreme Court for an injunction that would restrain the Black Cat ransomware gang from “any further broader access to or dissemination” of the stolen data. In an Australian first, the court granted the order.  

“We also took the step, unprecedented in Australia, of obtaining an injunction from the Supreme Court of New South Wales, seeking to restrain further publication or dissemination of confidential information.”      

The Black Cat ransomware gang is widely believed to located in Russia, well outside the reach of Australian enforcement bodies. So, they’re unlikely to be concerned by an injunction from an Australian court.   

The real impact is on Australian journalists and researchers, who are prevented from re-publication or dissemination of the leaked data. The injunction applies to anyone else in possession of the data, which includes the media.  

Commentators are divided on whether the injunction is a burden on free speech, or a sensible precaution.  

Key Takeaways for Australian Organisations  

• Training your team is key. Assuming the reporting about the cause of this breach is correct, cybercriminals used the compromised credentials of a lawyer at HWLE. Your team are and will likely remain your biggest security risk. Tailored security training empowers your team to understand and make better decisions in the face of cyber risk.   

• Data Leakage prevention. Some sort of DLP solution might well have alerted HWLE to the exfiltration of 4 TB of data, before it appeared on the dark web. Preventing the loss of data is far preferable to recovering from the breach.  

• Engagement with relevant agencies. So far it seems that there has been little public backlash against HWLE, perhaps as a result of their broad engagement with a range of different agencies – including the ACSC – to help address the breach. Knowing who to contact and when should be part of every organisation’s data breach response plan.  

• Use the HWL Ebsworth data breach as a case study. The final cost to HWLE is yet to be calculated. To date it includes 5000 hours of partners and staff time as well as the costs of external consultants. And going forward it is likely to result in a significant loss of clients. For any professional services organisation, this is a great case study in what could happen and the impacts on your client base and revenues.  

 Stress Test Your Security with Privacy 108  

Privacy 108 works with organisations to analyse and improve security. We regularly work with organisations to provide the following security management services:   

• Scope definition.   
• Gap analysis.  
• Risk assessments.   
• ISMS implementation.   
• Internal audits.   
• Training and awareness.  

We can help write and test your data breach response plan, and run simulation exercises for your senior executives.  

Contact us to learn more. 

Further reading: 

HWLE Cyber Incident notice 

OAIC notification 

NSW Government alert