June 16, 2023
The Albanese government has established a crisis group to examine what commonwealth data has been stolen by Russian-linked hackers who infiltrated the systems of HWL Ebsworth, the giant law firm that has tens of millions of dollars of contracts across at least 40 government departments and agencies.
Sensitive agencies including Home Affairs, the Australian Federal Police, Australian Taxation Office, Department of Defence, Department of Foreign Affairs and Commonwealth Director of Public Prosecutions are among those feared to have been impacted by the hack.
Forensic cyber experts and national security agencies are now working to determine what commonwealth information is among the four terabytes of data stolen by Russia-linked ransomware gang BlackCat, also known as AlphV or AlphaSpider.
The Attorney-General’s Department has established a working group to examine the impact of the data leaks. There are deep concerns within government that data including information on vulnerable people may have been compromised, along with legal advice that could prove deeply embarrassing to the government, its predecessor and its agencies.
While the hackers did not infiltrate government computers, it is understood they did access information provided by government agencies to HWL Ebsworth, and likely also obtained data and advice provided by the firm to its government clients.
The giant law firm specialises in government work, spruiks on its website that it is the only firm appointed to all Australian government legal service panels, and advertises 25 partners who specialise in government work.
A search of the AusTender website shows there are more than 1600 individual current or recently expired contracts or panel agreements between government departments and the law firm, worth tens of millions of dollars.
The Australian has been told there are daily meetings occurring across government as agencies race to determine what data has been accessed, and how damaging any potential release of the data would be.
The hackers published 1.2 terabytes of the data earlier this month, but their site, on the dark web, is currently offline. The hack is believed to have occurred in April, and was reported to the government on May 1.
Most departments contacted by The Australian on Thursday referred inquiries to HWL Ebsworth, but the firm would not comment on its clients. “The privacy and security of our client and employee data remains of the utmost importance,’’ it said in a statement. “We acknowledge and understand the impact this may have, and we continue to communicate closely with our clients.
“We continue to work with the Australian Cyber Security Centre, the Office of the Australian Information Commissioner and all relevant government authorities and law enforcement. We will continue to provide updates as we progress our response.’’
Agencies and departments including Prime Minister and Cabinet, Treasury, Finance, Education, Agriculture, Fisheries and Forestry, Industry, Science and Resources, Employment, and the Department of Foreign Affairs and Trade are all either current or recent clients of the firm, or have panel agreements with it.
The Fair Work Ombudsman, Parliamentary Budget Office, Aged Care Quality and Safety Commission, ASIC and Services Australia are also clients.
The Office of the Australian Information Commissioner – the nation’s privacy watchdog – confirmed on Wednesday it had lost data to the hackers. But The Australian has been told the OAIC breach was “the tip of the iceberg’’ and the likely loss of data extended across the government.
Cyber Security Minister Clare O’Neil’s office confirmed it was investigating the potential impact on government data.
A spokesman refused to say how many agencies were clients of the law firm and had been impacted by the hack, referring all questions to HWL Ebsworth.
“The government continues to actively engage HWL Ebsworth as it investigates the extent of the breach, including impacts on commonwealth information,” the spokesman said.
“HWL Ebsworth first reported a cyber incident involving ransomware and claims of data exfiltration and publication to the dark web on 1 May 2023.
“The government is working with HWL Ebsworth to understand and manage potential consequences of the publication of the data. As this matter is the subject of an ongoing joint investigation between the AFP and Victoria Police, it would not be appropriate to comment further.”
Ms O’Neil would not comment on what Home Affairs data may have been compromised.
The AFP, which has multiple contracts with the firm, also declined to comment on what data the hackers may have accessed.
The Australian Electoral Commission said: “Attorney-General’s Department has established a working group to assess the exposure of commonwealth data as a result of the HWL Ebsworth data incident. Questions about that data incident are best directed to the Attorney-General’s Department.’’
Attorney-General Mark Dreyfus’s office referred questions to the department, which said: “It would not be appropriate for the Attorney-General’s Department to disclose details about its engagement of legal services providers. A co-ordinated whole-of-government approach is currently under way to support agencies’ response to the HWL Ebsworth cyber incident.’’
The ATO said it “could not comment publicly on the specifics of our cyber security posture’’ but was aware of the incident. It urged taxpayers to be alert to contact the ATO if they found access to online systems had been affected.
The NDIS Quality and Safeguards Commission confirmed it “had been made aware of the data breach by HWL Ebsworth Lawyers affecting commission information”.
“We will continue to engage with the firm who is working with the Office of the Australian Information Commissioner and other relevant government agencies,’’ the commission said.
A spokeswoman for Defence Minister Richard Marles would not comment on what Defence data may have been impacted, saying: “Specific inquiries relating to this incident should be directed to HWL Ebsworth.’’
Foreign Minister Penny Wong’s office referred questions to DFAT, which did not respond.
While the government was first made aware of the breach on May 1, it does not appear anyone has been notified of a breach, under the requirements of the Notifiable Data Breaches scheme, which was introduced in 2018 and requires organisations to notify people at risk of “serious harm’’ within 30 days.
Opposition cyber security spokesman James Paterson said: “The government must come clean about to what extent other departments and agencies have been affected … given the firm is such a significant provider of services to the government.
“They must also be upfront about whether citizens’ privacy has been impacted. Australians have the right to know if other government data has been lost.’’