Investigation launched into HWL Ebsworth over cyber attack from BlackCat

Investigation launched into HWL Ebsworth over cyber attack from BlackCat

Australian Information Commissioner and Privacy Commissioner Angelene Falk.

The Office of the Australian Information Commissioner (OAIC) has launched an investigation into how HWL Ebsworth Lawyers (HWLE) handled the security and protection of personal information held prior to an April 2023 cyber breach from Russia-linked hacking group BlackCat, in which 4 terabytes of data was purportedly stolen from internal files.

Investigations by HWLE with McGrathNicol found the threat actor, also known as ALPHV, took certain information on a confined part of the firm’s system, and published some of the data on a dark web form over a three-week period in June 2023.

The OAIC has been conducting preliminary inquiries into the matter since June, and will now be investigating the personal information handling practices of the firm and the notification of the data breach to affected individuals.

Commissioner Angelene Falk has a range of options available to her if, following her investigation, she is satisfied that an interference with the privacy of one or more individuals has occurred.

"This includes making a determination, which can include declarations that HWLE take specified steps to ensure that the relevant act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice," the OAIC wrote in a statement this morning.

"If the investigation finds serious or repeated interferences with privacy of individuals, then the Commissioner has the power to seek civil penalties against HWLE from the Federal Court of Australia.

"In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further."

A spokesperson from HWLE notes the announcement from the OAIC and emphasises the "privacy and security of our client and employee data is of the utmost importance".

"Since becoming aware of this incident, HWL Ebsworth’s focus has been to ensure that we properly reviewed the stolen data and informed those impacted as swiftly as we could, and we have worked closely with impacted organisations to notify all affected individuals," the spokesperson says.

"We have offered support services to impacted individuals and took the additional step of obtaining an injunction to restrain further publication or dissemination of confidential information," the spokesperson says, adding that the firm will co-operate fully with the OAIC.

On the company's website, last updated on 8 February 2024, HWLE highlights the step of obtaining this kind of injunction from the Supreme Court of NSW was "unprecedented" in Australia.

"The injunction was sought to protect the interests of impacted individuals and affected persons and has proven to be extremely successful," the firm wrote.

"In the absence of the injunction, anyone with access to the dark web would not have had any legal restriction to accessing the published portion of the exfiltrated data for the short period of time that it was accessible.

"Our approach has restricted the possibility of misuse of the exfiltrated data, while still ensuring that affected individuals are notified of their sensitive data that was impacted in this incident."

The firm notes that the completion of a detailed analysis of all the data accessed by criminals was a complex challenge given the data set was  large and unstructured

"Since day one, we have worked closely with the government and all relevant authorities – including the Australian Cyber Security Centre and law enforcement agencies in their ongoing investigation into the incident," the firm wrote.

Another OAIC investigation together with its New Zealand counterpart into Latitude Group (ASX: LFS), which had 14 million personal documents stolen in 2023, is ongoing.

Global operation targets ransomware group that took millions of dollars from Australians

The OAIC announcement happens to coincide with news today that an international police operation involving the Australian Federal Police (AFP) took down the world's most prolific ransomware group, which was allegedly responsible for the Lockbit software known to criminals as Ransomware as a service (RaaS)

Lockbit, which has caused billions of dollars’ worth of harm across the globe including millions to Australian individuals and businesses since it was first identified in 2019, has been disrupted following an investigation involving law enforcement agencies from 10 countries.

The Europol-led investigation, known as Operation Cronos, has disrupted LockBit’s critical infrastructure. This included its primary platform and 34 servers across Australia, Netherlands, Germany, Finland, France, Switzerland, the United States and the United Kingdom.

France’s National Gendarmerie arrested two alleged LockBit actors in Poland and Ukraine, and a further three arrest warrants and five indictments have been issued by French and US law enforcement.

More than 200 cryptocurrency accounts allegedly owned by the ransomware group have been frozen by law enforcement, stripping the group of significant profits.

Authorities have obtained a significant amount of data since the investigation started, after the UK National Crime Agency took over LockBit’s technical infrastructure. Further arrests across the globe are expected.

LockBit was known to criminals as a ‘ransomware-as-a-service’ product, meaning criminals with little to no technological skills could purchase and use a ready-made ransomware program to attack their victims.

Ransomware is a type of malicious software that once installed onto a device or networks, encrypts the data and files, making them unusable. Cybercriminals use ransomware to extort payments from victims in exchange for the recovery of, and ability to regain access to the encrypted data.

Assistant Commissioner Scott Lee said the international investigation was a significant breakthrough in the global fight against cybercrime.

“Cybercrime is not restricted by borders and tackling this crime type requires a united, global response from law enforcement,” Assistant Commissioner Lee says.

“The AFP continues to work closely with our international law enforcement partners, as demonstrated through the recent disruption of the BlackCat ransomware group."

Lee says this latest takedown is yet another example of the powerful outcomes that can be achieved through a united law enforcement front.

“This investigation has not only taken down the world’s most prolific ransomware group, but also damaged the group’s reputation and credibility beyond repair," Lee says.

“We have obtained a vast amount of data from investigations so far and will continue to follow all leads and bring those responsible to justice."

In other cyber security news, last week Eagers Automotive (ASX: APE) confirmed it was recently made aware that a third party claimed to have published stolen data online from a December 2023 breach.

Hackers getting faster at stealing data

The latest 2024 Incident Report from cyber security provider Palo Alto Networks' (NASDAQ: PANW) threat intelligence arm Unit 42 found that in 2023 the global average time taken for hackers to exfiltrate data after a system was compromised was drastically reduced.

The report found 45 per cent of cases in 2023 saw attackers exfiltrate data in less than a day after compromise, with the median time dropping from nine days in 2021 to just two in 2023.

A third of all incidents involved malware linked to ransomware, and the use of malware for data destruction has also increased five-fold since 2022. The report shows just 68 per cent of attackers kept their ransom promises after they’ve been paid.

Unit 42 found an increase in cloud incident responses, up from 6 per cent in 2021 to 16.6 per cent in 2023, signalling a "growing threat landscape in cloud environments".

The top industries targeted included professional and legal services, high technology, manufacturing, healthcare, finance and, wholesale and retail; sectors that accounted for 63 per cent of cases in 2023. 

"In the past year, we have seen threat actors making larger and faster moves that damage their targets," Unit 42 senior vice president Wendi Whitmore said in the report.

Whitmore highlighted three key areas of the focus in the report: speed matters, software vulnerabilities still matter, and threat actors are becoming more sophisticated.

"And this is all happening at the same time as artificial intelligence (AI) is a top concern. While attackers may benefit from new AI capabilities, defenders already do. And we’re actively working on even more AI-driven abilities," Whitmore said.

Get our daily business news

Sign up to our free email news updates.

Four time-saving tips for automating your investment portfolio
Partner Content
In today's fast-paced investment landscape, time is a valuable commodity. Fortunately, w...

Related Stories

‘Heat of the moment’: The Star’s chair regrets inflammatory texts with CEO

‘Heat of the moment’: The Star’s chair regrets inflammatory texts with CEO

The Star Entertainment Group’s (ASX: SGR) executive chairman ...

Lifestyle Communities sheds $254m as shares plunge on home settlements downgrade

Lifestyle Communities sheds $254m as shares plunge on home settlements downgrade

Shares in Lifestyle Communities (ASX: LIC) have reached their lowes...

Vastly bigger than the Black Summer: 84 million hectares of northern Australia burned in 2023

Vastly bigger than the Black Summer: 84 million hectares of northern Australia burned in 2023

It may come as a surprise to hear 2023 was Australia’s bigges...

Crown retains NSW casino licence after regaining trust of regulator

Crown retains NSW casino licence after regaining trust of regulator

Crown Resorts has regained the trust of the NSW regulator which tod...