As HWL Ebsworth nears the completion of our detailed and comprehensive review of impacted information, we are eager to keep the public informed of the impact of this cyber incident. The privacy and security of our client and employee data is of the utmost importance, and we remain mindful of our responsibility to our clients and those individuals who have been affected.
As we contend with the scale and complexity of this challenge, our priority has been to ensure that we properly review the data and inform those impacted as swiftly as we can. This has not been a simple or quick task. The data set is large and unstructured and includes a complex mix of different types of documents and information, affecting many different stakeholders.
We continue to be cognizant that clients and other potentially impacted individuals and parties will be concerned to understand what data of theirs is impacted, but given this complexity, it is important to emphasise just how large the overall task is.
Since day one, we have worked closely with the government and all relevant authorities – including the Australian Cyber Security Centre and law enforcement agencies in their ongoing investigation into the incident. We formally notified the incident to the Office of the Australian Information Commissioner and continue to keep them updated as we work with affected organisations to notify impacted individuals.
We actively engaged with the National Cyber Security Coordinator Air Marshal Darren Goldie, to provide him with a holistic picture of the incident and the actions we were taking in response. The formal coordinated Australian Government response to this incident concluded on 18 September but we will continue to work directly with affected Australian Government agencies and private sector entities.
We also met regularly with the Legal Services Working Group, comprising representatives from across the Commonwealth and State and Territory governments, coordinated by the Department of Home Affairs.
The methodical and detailed work we have been undertaking with our forensic experts McGrathNicol is nearing completion as we have identified and reviewed the impacted data and are now contacting those affected in the most effective and efficient way.
We are engaged directly with law enforcement who have been taking steps to attempt to prevent any further data publication We also took the step, unprecedented in Australia, of obtaining an injunction from the Supreme Court of New South Wales, seeking to restrain further publication or dissemination of confidential information.
INFORMATION FOR INDIVIDUALS
HWL Ebsworth appreciates the patience and understanding of those affected as we continue to work through the impact of this incident. Working together with impacted organisations, we are in the process of contacting individuals who have been impacted to provide information and offer direct assistance and we have established a dedicated channel for enquiries. Given the volume of data compromised, this process will continue to take some time to work through, however we are committed to communicating with all impacted individuals as soon as possible.
Where we have confirmed that core identity information has been impacted – drivers licence, passport, birth certificate details, for instance – we have offered Equifax Protect, a credit and identity monitoring service that helps reduce the risk of financial loss. HWLE has also partnered with IDCARE to provide impacted individuals with tailored and specific advice at no cost. Details on how to access these support services will be communicated directly to impacted persons.
BACKGROUND
On Friday 28 April 2023, we became aware that a threat actor identified as ALPHV/BlackCat made a post on a dark web forum claiming to have exfiltrated data from HWL Ebsworth.
Upon becoming aware of this threat, HWL Ebsworth immediately engaged McGrathNicol to investigate the incident and undertake containment and remediation actions.
The investigation indicates the threat actor had accessed and exfiltrated certain information on a confined part of the firm’s system, but not on our core document management system. On 9 June 2023, we became aware that the threat actor had published on their dark web forum at least some of the data they claim to have taken.
We take very seriously our ethical and moral duties to the community, and we consider we have a civic duty not to in any way encourage nor to condone criminal activity. We remain firmly of the view that our decision to prevent these criminals from receiving any benefit from their behaviour was the right one. Our refusal to submit to a ransom demand was commended by Minister for Cyber Security Clare O’Neil MP as, “the right call by the nation” and that it “helps the safety of every Australian citizen & company”.
McGrathNicol has concluded the remediation actions taken by HWLE have been effective in containing the incident and mitigating the risk of potential future incidents. We are confident that these actions have closed out the immediate impact of the incident, hardened our systems and enhanced our overall security posture moving forward.
We have also used the incident as an opportunity to plan and implement further long term security enhancements for the firm to deal with the ever evolving cyber security threat landscape.
UPDATE AS AT 18 SEPTEMBER 2023
We are nearing completion of our review of the data and our assessment of its impact on organisations and individuals. We are also in the process of working with impacted organisations to notify affected individuals.
We do not currently have precise timing for the completion of this notification exercise due to its complexity but we will continue to provide relevant updates to staff, clients, regulators and other stakeholders, and provide support to those impacted.
HWL Ebsworth will work with National Cyber Security Coordinator Air Marshal Darren Goldie – and other relevant government stakeholders – as he reviews the incident response and identifies lessons that will further inform the way the Australian Government, states and territories deal with future attacks.
HOW TO CONTACT US
If you have been impacted and have any queries, including in relation to the support that is available, please email hwlecyberhelp@hwle.com.au.
We thank our staff and clients for their ongoing patience and support as we continue to work through the incident.