Australian law firm HWL Ebsworth, trusted by numerous federal agencies and the country’s biggest banks, has suffered an extremely serious data breach. It’s still difficult at this point to report exactly how serious, because the firm has obtained an injunction that prevents the media from getting into too much detail and the impacted downstream organizations are staying very quiet as internal investigations unfold.
The incident adds to a stretch of data breach woes that has plagued the country for nearly a year now, with some irate citizens forced to change personal identification and banking numbers more than once due to leaks from completely different sources. The law firm’s stolen data may well contain more government information, along with bank records and even military and police secrets.
HWL Ebsworth data breach impacts military, federal police, multiple government agencies
Australians have lost national identification numbers and health information in recent data breaches, such as those taking place at telecoms giant Optus and health insurer Medibank (which was just hit for a second time in the unrelated string of MOVEit breaches). It appears that they need to brace for impact once again with a wide variety of federal government organizations reporting stolen information, along with all of the country’s “big four” banks.
The culprit behind the law firm breach is ALPHV/BlackCat, one of the biggest ransomware gangs. The group has claimed credit, extorted victims and already leaked about a third of the stolen data via its dark web site. Interestingly, the group did not opt to deploy ransomware as part of the data breach, reflecting Cl0p’s handling of the recent MOVEit attacks. This could signal a trend away from ransomware to simple data extortion, though both MOVEit and the Australian law firm appear to have decided on not paying the ransom and letting the data leaks ride.
Law firm clients mostly staying quiet about data breach damage
At this point information about exactly what was lost in the data breach is still hard to come by, but the list of known compromised clients has by itself created a whirlwind of concern.
It is not known exactly what the data breach window was, but the law firm said that it did not become aware of the incident until the stolen information was offered up on the dark web on April 28. ALPHV/BlackCat began leaking stolen information in early June. A statement issued by HWL Ebsworth downplays the amount of access the attackers had to the network, but the company’s actions and the list of clients reporting in with data breaches paints a different picture.
Australians that have already had identity information exposed will no doubt be thrilled to learn that all four of Australia’s big banks (ANZ, National Australia Bank, Westpac, the Commonwealth Bank) were caught up in the data breach. There is still little information about this aspect, however, other than National Australia Bank commenting that it believes only a “small amount” of customers are impacted.
On the government end, the Defence Department and the Australian Federal Police were both reportedly breached. So were the Taxation Office and Department of Human Services among others. The state government of Tasmania was also breached, just two months after it suffered another serious data leak. And regulation may end up being a little slow to this issue as The Office of the Australian Information Commissioner was also among the law firm clients reporting exposure in the data breach.
In total about four terabytes of data were stolen, and the hackers have leaked about 1.4 terabytes thus far. HWL Ebsworth turned down a $5 million ransom demand prior to the leaks starting.