Inside HWL Ebsworth’s plan to manage a 4TB data leak
As the latest victim of a Russian hacker group, HWL Ebsworth has disclosed its unsuccessful negotiations to prevent the leak and has detailed a plan to stop the stolen data from spreading further.
Editor’s note: Lawyers Weekly’s sister brand, Cyber Security Connect, is covering the alleged hack of HWL Ebsworth as well as other cyber incidents impacting Australian businesses, organisations and government departments. To read more, click here.
When an email now known to be from the hacker collective reached the inboxes of personnel within HWL Ebsworth on 26 April, it was originally dismissed as spam “due to its nature”.
In the email, the hackers threatened that the “largest partnership in Australia now have a big problem with your data leak”.
After HWL Ebsworth failed to meet the ransom demand — speculated to be in the multimillion-dollar range — 1.4 terabytes of the stolen data was posted online last week. It is understood one-third of the total data the hackers said they accessed has been posted online.
The Russian-backed ALPHV ransomware group, also known as BlackCat, hacked into an HWL Ebsworth employee’s personal computer and allegedly stole more than four terabytes of data from the firm’s Melbourne server, including client and staff documents.
In an affidavit filed in the Supreme Court of NSW, and seen by Lawyers Weekly, chief strategy officer Russell Mailler said that while a second email was blocked two days later by anti-spam protection, he became aware of a post from the hackers about the stolen data.
In negotiation logs included in the affidavit, the firm told the hackers they were “trying our best” and said the partners had planned to meet the following Monday, being 1 May, to discuss what to do.
“We will get back to you after our Monday meeting. We trust that there will be no surprises until then. It seems we both understand the consequences of data being posted,” the firm responded.
Over that weekend, the hackers emailed the firm again to inform them there was “very little time left” before they would post the stolen data and offered to “give you a good discount”.
“We warn you that if payment is not made, the information will be published in the public domain,” the hackers threatened.
“I think you will understand how much data is worth after publishing.
“Upon receipt of reputational damage, fines from the state and courts. You are losing even more money than we ask. For your company, the fact that you pay this amount and forget about it will not matter much.”
In another affidavit, HWL Ebsworth partner Andrew Miers confirmed the firm had so far incurred over $250,000 in costs to conduct a comprehensive review into the leaked data, but he expects that figure “will continue to grow” as a dedicated team sifts through the leaks.
"“I understand that partners and staff within the firm have spent at least approximately 5,000 hours on the task, and that figure will continue to increase,” Mr Miers added.
The data management team, which includes Mr Miers, has received “significant internal resources” and has so far “cleansed” the files the firm believes to have been stolen and is undertaking a “reconciliation of that data with the list of files we are working from”.
Mr Miers said the team had commenced a manual triage into four separate drives and is “well underway” in relation to two. The other two, the firm predicts, may be completed in the second half of June.
Earlier this week, HWL Ebsworth obtained an injunction from the Supreme Court prohibiting the hackers and any third parties, which would include media and clients, from publishing or promoting any further material from the leaked data.
According to Mr Miers’ affidavit, at least nine clients and two service providers have downloaded and searched through the leaked data.
He said a “communications strategy” has been put in place to provide updates to impacted clients and to give them an opportunity to be given a copy of their impacted information.
In a statement provided to Lawyers Weekly early last month, HWLE chief strategy officer Russell Mailler said that the firm notified the Australian Cyber Security Centre and said that it would continue to work with it throughout the course of the subsequent investigation.
“The privacy and security of our client and employee information is of the utmost importance to us. As soon as we learned of this potential incident, we acted quickly to respond to the threat and have been working with third-party experts to determine the validity of the claims, and to ensure the ongoing safety and security of our systems,” Mr Mailler said.
“We will continue to provide updates to our stakeholders, as appropriate, as new information becomes available. While investigations are ongoing, our operations are not impacted, and our focus remains on providing exceptional service for our clients to the high standards of our firm.”
New working group established
Following this breach and the subsequent court action, the Attorney-General’s Department has launched a working group to establish the scale of the data leaks and their impacts. This came after the establishment of a crisis group by the Albanese government to determine which data was stolen.
In addition, as reported by The Australian, the group will seek to determine if there is any commonwealth data in the breach and in the data already released online.
HWLE has 25 partners who specialise in government work and have clientele at all levels of government — including the Prime Minister and Cabinet, Treasury, Finance, the Parliamentary Budget Office, Australian Securities and Investments Commission (ASIC), and Services Australia, among others.
On Wednesday (14 June), the Office of the Australian Information Commissioner (OAIC) confirmed that it had data stolen in the HWLE breach.
“The OAIC can confirm that it is a legal client of HWL Ebsworth,’’ a spokesperson for the OAIC told The Australian.
“We have also been recently informed that some material provided to the firm has been compromised as a result of the cyber attack.
“The OAIC is in active dialogue with HWL Ebsworth to understand what information has been compromised.”
A Department of Home Affairs spokesperson told Lawyers Weekly that the department was "leading the coordination effort in response to consequences that may be realised from this incident".
The Government continues to actively engage HWL Ebsworth as it investigates the extent of the breach, including impacts on Commonwealth information," they said.
More to come.