A cyber attack that targeted intellectual property legal group IPH Limited (ASX: IPH) and two of its member firms will cost the parent millions as the company unveils the extent of what was stolen by hackers.
Initially announced back in March, IPH had its IT environment accessed by unauthorised parties in a breach that was limited to the document management systems of its head office as well as two member firms Spruson & Ferguson and Griffith Hack and their practice management systems.
Today, the company - which restored key system functionality shortly after the hack - has revealed that it estimates $2 million to $2.5 million (pre-tax) will be incurred as non-underlying costs in its FY23 accounts related to the incident.
Further, for the month of March 2023, the disruption also contributed to a service charge budget shortfall of approximately $4.4 million for the impacted businesses of Griffith Hack and Spruson & Ferguson.
As such, IPH says the shortfall will result in lost revenue due to the disruption, primarily connected to time-based charges which may not be fully recovered. However, the firm says ‘the event-driven nature of the IPH revenue model’ means it expects to recover ‘a material proportion’ of the shortfall over time.
According to the legal group, a ‘substantially complete’ forensic investigation has now uncovered that a limited set of data was downloaded by an unauthorised third party during the event.
The dataset originated from the Spruson & Ferguson business and primarily contained data relating to the firm’s clients and some historical financial and corporate information.
“Based on the investigation to date, we have no evidence to suggest that data located on any other component of IPH’s IT network (including the IPH document management system and the document management and practice management systems of Griffith Hack) was downloaded by the unauthorised third-party during the course of the incident,” IPH said.
“IPH has reviewed the downloaded dataset and has worked with Spruson & Ferguson Lawyers to directly contact affected clients.”
The company added that to ensure it meets any privacy or data breach obligations, it has undertaken a detailed review of the affected data to determine the presence of any personal information.
“Based on this analysis, IPH has determined to notify a small number of individuals whose personal information was in the dataset,” IPH said.
“IPH expects to complete the investigation and response into the cyber incident within the next few weeks and will update the market if there are any material changes to the outcomes set out in this announcement.”
The news comes after it was revealed that Coles Credit Card holder data was affected by a recent cyber attack on Latitude Financial’s (ASX: LFS) systems.
Latitude - a former service provider for Coles Financial Services - was hit with the cyber attack one month ago and in March revealed that close to 8 million drivers licence numbers were stolen during the hack.
According to Coles, the company changed service providers to Citibank in March 2018 - implying that only Coles Credit customers prior to that date were swept up in the cybercrime at Latitude.
Get our daily business news
Sign up to our free email news updates.