Last month, Sydney-based law firm Brydens Lawyers revealed in social media posts that it had fallen victim to a cyber incident in February, with the firm’s principal, Lee Hagipantelis, noting there had been unauthorised access to some data on its servers. According to SMH, a foreign actor was attempting to extort a ransom from the firm, and more than 600 gigabytes of data – including case, client, and staff data – was stolen in the incident.

Later in March, the firm sought and obtained an injunction banning “dissemination of the impacted confidential information” in the wake of an alleged ransomware attack.

In conversation with Lawyers Weekly, Redacted Information Security director and principal consultant, Remy Coll, (pictured) said that from what is known about the Brydens incident, “the attackers’ motive appears to be financial, and that they are seeking blackmail payments from Bryden clients, and the firm itself”.

This is “iconic”, he said, of attacker behaviour towards law firms.

VIEW ALL

“Attackers seek access to sensitive data, or to manipulate large transactions (such as M&A, property, and investment transactions).”

“As not much information has been released about how the attack occurred, only inferences can be drawn from the limited facts,” Coll mused.

Super funds

Moreover, and as has been reported in the past week, numerous large Australian superannuation funds have suffered breaches, with thousands of user accounts compromised. The funds affected included Rest, Hostplus, Australian Retirement Trust, AustralianSuper, and Insignia, the owner of major superfund brand MLC.

As reported by Lawyers Weekly’s sister brand Cyber Daily, while both Rest and Insignia have confirmed no financial losses, AustralianSuper said that $500,000 was stolen in the cyber attack. Those superannuation customers who have lost money are most definitely pensioners whose accounts are in the pension drawdown phase, as those accounts can request lump sum withdrawals.

The compromise on AustralianSuper, Coll noted, is an example of the shared responsibility for cyber security that is held between customers, providers, and regulators or government.

“The AustralianSuper attacker targeted the customers themselves. Often, when the customers practise poor personal cyber security, the provider will point to them and say they are not responsible for the compromise,” he said.

“However, now we are seeing a shift in accepting that statement.”

“It is the responsibility of providers to implement reasonable cyber security features into their systems for customers to use. This attack used a combination of credential stuffing (where an attacker uses a previously breached dataset of usernames (which are usually emails and passwords, and just runs them all against another system to try and log in as any of those people) and brute forcing (where a generic password list is used to guess) to gain control of super accounts and transfer funds,” Coll explained.

“These are relatively simple attacks and can be defended against by common security features such as multifactor authentication, passkeys, and new browser validation. However, the provider has to offer these security features.

“No doubt many will point to the customers and say, ‘But they reused passwords across all their accounts, or had bad easy-to-guess passwords’, and while this is true, in the instance of AustralianSuper, they were also not provided with even the option of configuring multifactor authentication.

“AustralianSuper could have made SMS-based multifactor authentication mandatory and likely prevented the breach unilaterally. While SMS MFA isn’t the best, its far better than no MFA.”

From here, questions must be asked about who bears responsibility for providing reasonable security, Coll pondered.

“Is it the customer, who is required to protect their personal credentials for a system, a provider who needs to give the customer the tools to secure their account, or is it the regulator who should be mandating a base level of cyber security features for providers?”

Lessons and preparedness

When asked what both law firms and in-house teams can learn from these incidents, Coll said to understand what users have access to what material.

“Law firms tend to allow all data within their practice management system available and searchable to everyone. This makes sense from a business perspective, as they want their lawyers to be able to cross-reference matters and reuse work previously completed by someone else. Unfortunately, it creates issues for cyber security, particularly in data loss prevention (a subset of security controls),” he warned.

“That data is valuable and sensitive, and access to it should be handled accordingly.”

Like a lot of professional services industries right now, Coll mused, law firms are a “mixed bag” in terms of preparedness.

“On the whole, I believe, they are underprotected. Certainly, they do not have a cyber security culture commensurate worth their data holdings,” he said.

“For many firms though, they’ve made good choices, such as using a high-quality MSSP, and undertaking regular independent security assessments (by someone who is not the MSSP). Many use the tools provided by their specialist software houses, such as legal case management and practice management systems.”

“Linking back to the AustralianSuper incident, law firms can be more discerning about what technology they adopt, and seek to make choices based on the security features that provide protective controls for their data,” he said.

In-house counsel, Coll continued, are critical to incident preparedness, and understanding provider responsibilities.

“Engagement between legal and cyber is growing, however I’d say it’s more on technology and risk leadership to engage legal better. In-house legal should be a control point for incidents, incident preparedness, and continuous improvement of security responsibility,” he posited.

“There is already broad acceptance, and even early precedent on the topic of incident response and other cyber security activities being covered under legal privilege. However, this will only apply when certain conditions are met, which involves careful interleaving of legal counsel in cyber security processes and plans.”

“Currently, this level of engagement isn’t often initiated by in-house counsel, when it should,” he suggested.

Looking ahead

Given the frantic pace at which 2025 has started – and against the backdrop of the 2023–2030 Australian Cyber Security Strategy – Coll said that best practice will constitute using individual providers for individual purposes – “rather than putting all your eggs in one basket”.

“Seek to plan and prepare a careful and coherent security program. Too often firms will simply go to a single MSP and just ask for ‘increased security’ without taking steps to build an enduring and sensible security program that works for their business (and their clients),” he said.

“In general, it is better to have a security program produced by a specialist consultancy, then seek vendors who can fulfil roles in that program.”

Lawyers cannot be afraid of cyber security, Coll concluded.

“Your level of security will reflect the level of engagement you have in building a security program.”