Qld state government files breached in HWL Ebsworth attack
The Queensland government last week confirmed that files from its systems have been compromised as part of the HWL Ebsworth breach.
Editor’s note: This story originally appeared on Lawyers Weekly’s sister brand, Cyber Security Connect.
“The Queensland government is aware of a cyber incident and data breach impacting law firm HWL Ebsworth,” it said.
“The Queensland government is working with HWL Ebsworth and relevant Commonwealth agencies as the extent of the breach is investigated, including impacts to government information.
“This includes work to understand and manage potential consequences of the theft and publication of the data and to ensure that all notifications are made to affected parties where required.
“Specific enquiries relating to this incident should be directed to HWL Ebsworth.”
According to a spokesperson from the Queensland government, the breach saw several “documents relating to a limited number of department’s [sic] files” exposed.
“The Department of Home Affairs continues to work with HWL Ebsworth and affected government agencies as it investigates the extent of the breach, including exposure of Queensland government information and related consequences arising from this exposure,” the spokesperson added.
As reported by Cyber Security Connect and Lawyers Weekly, the Fair Work Ombudsman has seen certain files compromised as a result of the breach on one of Australia’s biggest law firms, while in mid-June, the Tasmanian state government reported a possible leak of data pertaining to the breach.
Lawyers Weekly recently detailed HWL Ebsworth’s plan to manage the data leak.
Earlier this month, HWL Ebsworth promoted 72 lawyers to more senior roles, including seven to its partnership – the biggest in Australia.
Like other state and federal government agencies, the Queensland government is working with HWL Ebsworth to determine the issue and is preparing to contact affected clients.
“The Queensland government takes the privacy of its data holdings seriously and is working with HWL Ebsworth to understand what information may have been disclosed.
“Should our clients’ personal information be affected, the individual departments will work with HWL Ebsworth to ensure affected individuals are notified as soon as possible, and offer assistance and support as required.”
The announcement from the Queensland government followed the Victorian government’s confirmation that several of its sensitive legal documents were published on the dark web.
“Following its announcement in April 2023 of a major cyber breach,” Victoria’s chief information security officer (CISO) said in a statement, “law firm HWL Ebsworth has now confirmed that information relating to its work with several Victorian government departments and agencies has been released by cyber criminals to the dark web”.
The HWL Ebsworth attack, which occurred back in April at the hands of the Russian state-backed hacking syndicate ALPHV (also known as BlackCat), resulted in a number of major companies, such as the big four banks, as well as government agencies and authorities, including the Australian Federal Police (AFP) and the Office of the Australian Information Commissioner (OAIC) being compromised.
Australia’s new national cyber security coordinator has made it his first order of business to investigate the HWL Ebsworth supply chain attack.
“My first order of business as national cyber security coordinator was to seek briefings from the Department of Home Affairs and HWL Ebsworth on the status of the response to the cyber incident,” said Air Marshal Darren Goldie, who was appointed to the role in June.
To prevent stolen data from the hack from being used for malicious means, HWL Ebsworth has secured an NSW Supreme Court injunction to prevent the publishing of data.
However, cyber security experts say the injunction could prove to be not only ineffective but also counterproductive.
Brett Callow, ransomware researcher for New Zealand security firm Emsisoft, said this defensive strategy had been used before and could have the opposite effect.
“New Zealand’s Waikato District Health Board and the Irish Health Service Executive are among the other organisations to have taken similar courses of action, and it’s a somewhat risky strategy,” he told New Zealand publication ITWire.
“On the one hand, the injunction may dissuade casual looky-loos from accessing the data and stop reporters from using it as the basis for stories.
“On the other hand, it’s unlikely to stop ALPHV from releasing the data and may actually provoke them into releasing it more quickly or distributing it more widely than they otherwise would.”
Callow named a specific instance in the US where obtaining an injunction led to data being released faster and with more malicious intent behind it.
“When US company Southwire obtained injunctions against the Maze ransomware group and its web host, Maze started to release the data on a Russian cyber crime forum with a note inviting people to ‘Use this information in any nefarious ways that you want’,” he said.