Australia’s newly appointed cyber security coordinator has confirmed that more than 40 government agencies were impacted by the recent data hack on law firm HWL Ebsworth.
The federal health department is one of the law firm’s biggest clients, as are Australia’s four major banks.
Russian cybercriminals offering ransomware ‘services’ under the names of ALPHV and BlackCat attacked the law firm in late April, massively breaching its database and stealing sensitive client information.
The criminal group subsequently claimed to have posted 1.45 terabytes of stolen data on the dark web, after the Federal Government refused to give into its ransom demands.
The Russians punctuated their claim with the message: “ENJOY!!!”
In his first comments since taking on the role last month, national cyber security coordinator Darren Goldie acknowledged that stolen data from government agencies had been illegally disseminated.
“A number of Australian government entities have been impacted by the HWL Ebsworth cyber incident, with sensitive personal and government information released,” Air Marshal Goldie said.
“I am actively engaging with HWL Ebsworth to understand the complete picture of this incident, including how their private industry clients have been impacted, as the data analysis continues.
“Impacted entities are commencing the process of notifying affected individuals about the impacts the data breach has had on their information, and to meet their relevant obligations under the Privacy Act 1988.”
He said getting to the bottom of the circumstances of the huge data breach remains his top priority.
The Department of Home Affairs’ legal services working group is meeting regularly with the law firm, he said, with the aim of understanding the extent of the impact on government agencies.
“My first order of business as national cyber security coordinator was to seek briefings from the Department of Home Affairs and HWL Ebsworth on the status of the response to the cyber incident,” Air Marshal Goldie said.
“I thank the department and HWL Ebsworth for their assistance and advice at very short notice … We will work to ensure the lessons from this incident are shared so that we can continue to collectively bolster our responses to cyber incidents.”
HWL Ebsworth has detailed on its own website the order of events and its response to date.
“On Friday 28 April 2023, we became aware that a threat actor identified as ALPHV/BlackCat made a post on a dark web forum claiming to have exfiltrated data from HWL Ebsworth,” its statement says.
“Upon becoming aware of this threat, HWL Ebsworth immediately engaged McGrathNicol to investigate the incident and undertake containment and remediation actions.
“The investigation indicates the threat actor had accessed and exfiltrated certain information on a confined part of the firm’s system, but not on our core document management system.
“On 9 June 2023, we became aware that the threat actor had published on their dark web forum at least some of the data they claim to have taken.”
“We continue to be engaged in a comprehensive investigation into the nature and extent of the impact of the incident with the assistance of leading external cyber security experts.
“We are conducting a detailed and comprehensive review of the impacted data and informing impacted third parties and individuals as swiftly as we can.
“We have an ongoing engagement with relevant authorities in relation to this process, including the Office of the Australian Information Commissioner, the Australian Cyber Security Centre and law enforcement agencies in their ongoing investigation into the incident.”
Home Affairs Minister Clare O’Neil, who oversees the national cyber security coordinator reports, has described the attack as “a very significant incident” similar to last year’s data breaches against Optus and Medibank.
The Department of Health and Aged Care has confirmed it was affected by the breach, but no patient data in My Health Record was impacted.
The full list of government agencies impacted has not been released.
Data from some state governments is understood to also have been affected by the hack.