August 8, 2023
The Russian-linked hack on law firm HWL Ebsworth compromised commercially sensitive federal government data and the personal details of government staff and clients.
In answers to questions on notice, the government revealed the Department of Home Affairs had obtained a list of departments and agencies affected by the hack, described by Cyber Security Minister Clare O’Neil as being on par with the Optus, Medibank and Latitude hacks of last year.
The government declined to release the list, and confirmed that four months after the hack by ransomware gang BlackCat/ALPHV, it had not yet notified affected individuals that their data had been compromised.
Senator Murray Watt, speaking on behalf of Ms O’Neil, said the Department of Home Affairs “has received a list of Australian government departments and agencies that may have been impacted by the HWL cyber security incident”. “Not all departments and agencies within that list have been able to confirm they have been impacted by the incident,’’ he said in response to questions from opposition cyber security spokesman James Paterson.
“The Department of Home Affairs cannot answer questions on (the) nature of the compromised data for other Australian government departments and agencies (but) the compromised data includes a range of personally identifiable information relating to Australian government employees and clients/customers, corporate information and commercially sensitive information.
“In relation to the department’s data, HWL Ebsworth is analysing the impacted data sets to identify the nature of the information contained in the data.’’
A spokesperson for Ms O’Neil said Home Affairs was aware some of its data had been exposed.
“HWL Ebsworth has begun notifying affected individuals with the assistance of the department,’’ the spokesperson said.
“The National Cyber Security Co-ordinator is working closely with HWL Ebsworth to better understand the issues relating to the nature of the data impacted and the process for notifying affected individuals.’’
The hack of 2½ million documents from Australia’s largest commercial law firm has impacted multiple agencies across the federal government, state governments including Tasmania, Victoria, Western Australia and Queensland, and major companies including the four big banks.
Judo Bank and airline Regional Express (Rex) are the two latest companies to advise they also lost data.
Despite having 63 federal government clients and contracts worth more than $100m, HWL Ebsworth and other law firms are not on the critical infrastructure register and do not fall under the Security of Critical Infrastructure (SOCI) Act that places greater cyber security obligations on companies listed on the register.
HWL Ebsworth has not explained specifically how the hackers were able to compromise the company’s Melbourne servers, but it said it had “hardened our systems’’.
Senator Paterson has been trying for months to find out which agencies were impacted, and how the government was notifying affected persons whose data had been compromised.
“It is disturbing that four months on from this serious cyber incident, those who may have been affected have still not been notified and the government is still not certain which departments have been hit or what data they have lost,’’ he said. “This should be an immediate priority of the newly appointed National Cyber Security Co-ordinator.’’
None of HWL Ebsworth’s clients’ computer systems were hacked, but their communications, including emails, spreadsheets, identification and other documents exchanged with the law firm have been compromised.
The National Disability Insurance Agency, one of the government organisations hacked, has many vulnerable clients and some of those have also been impacted.