January 15, 2024
Monday 15 January 2024
Ellen Whinnett
The Australian
Prime Minister Anthony Albanese’s department, the Reserve Bank and Australia Post are among the government agencies that had sensitive data stolen by Russia-linked hackers who compromised the servers of law firm HWL Ebsworth.
Eight months after the BlackCat/ALPHV ransomware gang stole 2.5 million documents from Australia’s largest commercial law firm and later posted one million of them online, the government has finally coughed up the entire list of government entities impacted by the hack.
And the government has admitted “sensitive information’’, including legal advice, medical information and “issues relating to national security and law enforcement” were lost in the April hack.
The list of agencies was quietly dropped to parliament four days before Christmas, after the government spent months delaying Freedom of Information requests and refusing to provide it publicly.
It shows that sensitive agencies such as the Australian Commission for Law Enforcement Integrity, which examines corruption and malpractice in law enforcement agencies, and the Australian Digital Health Agency, which has responsibility for digital health records, also lost data in the hack, as did the Department of Prime Minister and Cabinet, Department of Foreign Affairs and Trade and the CSIRO. Treasury and the Department of Parliamentary Services were also impacted, as was WSA Co Limited, the government body set up to deliver and operate the new Western Sydney airport.
The list, provided to opposition home affairs spokesman James Paterson, also confirms the Australian Defence Force, Australian Federal Police and Australian Criminal Intelligence Commission had data compromised.
“The Albanese government has finally admitted they were victims of one of the largest-ever hacks on an Australian government, with an astonishing 62 departments and agencies exposed to the HWL Ebsworth data breach,’’ Senator Paterson told The Australian.
“Shockingly, among the lost data is – in the government’s own words – sensitive national security information, legal advice, personally identifying information of vulnerable people including victims of crime and private medical information.
“Despite this there is no evidence of any policy changes to make sure this does not happen again, or any consequences for those responsible.’’
HWL Ebsworth, which has billed taxpayers tens of millions of dollars for legal work across dozens of government agencies, has said it “hardened’’ its cyber security as a result of the devastating breach, which forensic auditors believed occurred when the hackers compromised the credentials of a lawyer at the firm.
In its response to Senator Paterson, the government clarified 62 agencies had been hit, down from the initial tally of 65.
“Inclusion on the list does not imply equal impact across these entities. Varying degrees of impact were observed, in both volume and sensitivity of records exposed,’’ the response said.
“The data affected … is a matter of legal privilege and as such the Department of Home Affairs is unable to comment directly on the nature of the stolen data.
“However, the breach exposed a range of sensitive information … which included: legal advice provided to government entities; personal identifiable information relating to employees or clients of government entities … vulnerable persons information … government information, including potentially sensitive details of issues relating to national security and law enforcement, and litigation matters including employment and immigration decisions, and; corporate information.’’
The government said some government entities were still working with HWL Ebsworth “to understand the impact to their organisations’ information”.
