A full timeline of the HWL Ebsworth data breach

The HWL Ebsworth data breach is yet another example of the potentially devastating impacts of a ransomware attack. The Financial Review has reported that the commercial law firm, Australia’s largest legal partnership, has already dedicated more than 5,000 hours and a quarter of a million dollars to combatting the hacking incident. And we know from previous data breaches that direct and indirect costs often snowball far beyond any initial losses.

It’s not just notable as another cautionary tale, though. Not only was the scale of the attack significant by itself, but the sensitive nature of the stolen data – and the firm’s massive client list, which includes organisations like the Reserve Bank and most of the ASX top 50 – should have finance leaders on high alert. As more data hits the dark web, scamming tactics become increasingly targeted and harder to detect.

So how did the attack go down and what’s the latest on the potential fallout for other organisations? Let’s take a look.

Late April 2023: HWL Ebsworth learns of attack, hackers issue ransom demand

At the beginning of May, the Financial Review reported that the infamous hacking group ALPHV (sometimes known as BlackCat) claimed to have pilfered four terabytes of data from HWL Ebsworth’s servers – this claim later turned out to be smaller in reality, but it was clear that a malicious actor had accessed a huge trove of data.

Worse, the data allegedly encompassed internal financial reports and accounting data, along with client documents like loan data, credit card information and other financial information. A firm representative told media outlets that the organisation was aware of the incident and already working with the Australian Cyber Security Centre (ACSC).

But the action started earlier than that. In court documents obtained by the media (more on that later), the firm initially learned about the attack through emails that were assumed to be spam – those messages started as early as 26 April. In one email from a sender claiming to be part of ALPHV, a managing partner was urged to “connect with us” and told not to contact authorities.

It wasn’t long after these initial communications that the firm was spotted on ALPHV’s victim list. According to media reports, the firm spent the weekend trying to investigate as quickly as possible and to identify exactly which information had been stolen. Partners were alarmed to see screenshots that seemingly confirmed the group’s claims about breaching sensitive client data.

Legal documents show that the firm was in contact with the hackers, who had issued a ransom demand of US$4.6 million in bitcoin.

May 2023: Media attention intensifies, clients peel away

In early May, the firm was urging hackers not to publish any data if they wanted partners to entertain payment. The cyber-criminals were getting restless and, on 5 May, told the firm to make a decision or face publication of the data.

On 8 May, HWL Ebsworth communicated the incident to the Office of the Australian Information Commissioner (OAIC) – possibly an eye-raising notification, since the OAIC is also a client of the firm.

Later that month, the threat actors began releasing some of the data on the dark web, possibly a tactic to pressure the firm into caving to ransom demands – a similar method used against Medibank.

By this point, the incident was widely reported and HWL Ebsworth was already seeing serious repercussions, with several large clients withdrawing their files from the firm. Those included Commonwealth Bank of Australia, La Trobe Financial and ING Bank.

June 2023: Hackers publish data, firm takes legal action

On 3 June, ALPHV issued a final warning to HWL Ebsworth to pay the ransom, even promising a “discount.” But court affidavits indicate that partners were not willing to negotiate or engage. Six days later, around 1.4TB of the stolen data appeared on the dark web. Around mid-June, HWL Ebsworth took action of its own, seeking an injunction from the NSW Supreme Court. The goal of the injunction was to prevent ALPHV – and any third parties with knowledge of the stolen data – from accessing or sharing it.

The court granted the interim orders. Unsurprisingly, an ALPHV representative failed to appear at the following court hearing.

In the meantime, a mind-boggling number of high-profile organisations and government agencies have been exposed in the published data tranche. That includes the Australian Federal Police, the Australian Criminal Intelligence Commission, Austrac and the Defence Department – including government files relating to top-secret weapons testing, infrastructure projects, and international intelligence.

How did hackers breach HWL Ebsworth?

When initial reports surfaced, there was speculation that threat actors had infiltrated the firm’s system through vulnerabilities in unpatched or outdated software.

However, advisory firm McGrathNicol’s forensic report traced the hackers’ entry point to a personal device used by a staff member, alleging that the group had compromised credentials for one of the firm’s lawyers in April. If accurate, then the breach stemmed from human error, just like the vast majority of cyber incidents before it.

Who hacked HWL Ebsworth?

The attackers, ALPHV or BlackCat, have a history of going after high-profile organisations with highly sensitive data, with 40% of their attacks in Australia targeting firms in this sector.

These cyber-criminals are usually Russian-speaking and operate lucrative ransomware-as-a-service (RaaS) operations. They often exploit software vulnerabilities and employ malicious ads to gain initial access.

What should financial leaders know about the data breach?

It’s hard to overstate the size of HWL Ebsworth’s client list or the prominence of its clients. Even if your organisation wasn’t impacted, there’s a good chance you’ve done business with someone who was.

Small amounts of personal information can help scammers and hackers put together comprehensive profiles of targets, whether they’re trying to compromise credentials or impersonate a trusted contact (or both). But the data stolen from HWL Ebsworth included a lot more than employee and client information – it included sensitive financial data, government invoices and more.

In other words, the dark web is now awash with even more data that scammers can use to either compromise your organisation or deceive your employees into making fraudulent payments – or simply giving up sensitive information of your own.

There are a few steps that financial leaders can take to defend their organisations:

Fortify your finance function with an anti-cyber-crime strategy.

AP and finance professionals are common targets for cyber-criminals. Luckily, there’s a lot more you can do to protect your organisation.

Download our free Cybersecurity Guide for CFOs to create and implement a comprehensive anti-cyber-crime strategy.

Download Guide