Cyber Brief for CFOs: October 2024
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
The HWL Ebsworth data breach is yet another example of the potentially devastating impacts of a ransomware attack. The Financial Review has reported that the commercial law firm, Australia’s largest legal partnership, has already dedicated more than 5,000 hours and a quarter of a million dollars to combatting the hacking incident. And we know from previous data breaches that direct and indirect costs often snowball far beyond any initial losses.
It’s not just notable as another cautionary tale, though. Not only was the scale of the attack significant by itself, but the sensitive nature of the stolen data – and the firm’s massive client list, which includes organisations like the Reserve Bank and most of the ASX top 50 – should have finance leaders on high alert. As more data hits the dark web, scamming tactics become increasingly targeted and harder to detect.
So how did the attack go down and what’s the latest on the potential fallout for other organisations? Let’s take a look.
At the beginning of May, the Financial Review reported that the infamous hacking group ALPHV (sometimes known as BlackCat) claimed to have pilfered four terabytes of data from HWL Ebsworth’s servers – this claim later turned out to be smaller in reality, but it was clear that a malicious actor had accessed a huge trove of data.
Worse, the data allegedly encompassed internal financial reports and accounting data, along with client documents like loan data, credit card information and other financial information. A firm representative told media outlets that the organisation was aware of the incident and already working with the Australian Cyber Security Centre (ACSC).
But the action started earlier than that. In court documents obtained by the media (more on that later), the firm initially learned about the attack through emails that were assumed to be spam – those messages started as early as 26 April. In one email from a sender claiming to be part of ALPHV, a managing partner was urged to “connect with us” and told not to contact authorities.
It wasn’t long after these initial communications that the firm was spotted on ALPHV’s victim list. According to media reports, the firm spent the weekend trying to investigate as quickly as possible and to identify exactly which information had been stolen. Partners were alarmed to see screenshots that seemingly confirmed the group’s claims about breaching sensitive client data.
Legal documents show that the firm was in contact with the hackers, who had issued a ransom demand of US$4.6 million in bitcoin.
In early May, the firm was urging hackers not to publish any data if they wanted partners to entertain payment. The cyber-criminals were getting restless and, on 5 May, told the firm to make a decision or face publication of the data.
On 8 May, HWL Ebsworth communicated the incident to the Office of the Australian Information Commissioner (OAIC) – possibly an eye-raising notification, since the OAIC is also a client of the firm.
Later that month, the threat actors began releasing some of the data on the dark web, possibly a tactic to pressure the firm into caving to ransom demands – a similar method used against Medibank.
By this point, the incident was widely reported and HWL Ebsworth was already seeing serious repercussions, with several large clients withdrawing their files from the firm. Those included Commonwealth Bank of Australia, La Trobe Financial and ING Bank.
On 3 June, ALPHV issued a final warning to HWL Ebsworth to pay the ransom, even promising a “discount.” But court affidavits indicate that partners were not willing to negotiate or engage. Six days later, around 1.4TB of the stolen data appeared on the dark web. Around mid-June, HWL Ebsworth took action of its own, seeking an injunction from the NSW Supreme Court. The goal of the injunction was to prevent ALPHV – and any third parties with knowledge of the stolen data – from accessing or sharing it.
The court granted the interim orders. Unsurprisingly, an ALPHV representative failed to appear at the following court hearing.
In the meantime, a mind-boggling number of high-profile organisations and government agencies have been exposed in the published data tranche. That includes the Australian Federal Police, the Australian Criminal Intelligence Commission, Austrac and the Defence Department – including government files relating to top-secret weapons testing, infrastructure projects, and international intelligence.
When initial reports surfaced, there was speculation that threat actors had infiltrated the firm’s system through vulnerabilities in unpatched or outdated software.
However, advisory firm McGrathNicol’s forensic report traced the hackers’ entry point to a personal device used by a staff member, alleging that the group had compromised credentials for one of the firm’s lawyers in April. If accurate, then the breach stemmed from human error, just like the vast majority of cyber incidents before it.
The attackers, ALPHV or BlackCat, have a history of going after high-profile organisations with highly sensitive data, with 40% of their attacks in Australia targeting firms in this sector.
These cyber-criminals are usually Russian-speaking and operate lucrative ransomware-as-a-service (RaaS) operations. They often exploit software vulnerabilities and employ malicious ads to gain initial access.
It’s hard to overstate the size of HWL Ebsworth’s client list or the prominence of its clients. Even if your organisation wasn’t impacted, there’s a good chance you’ve done business with someone who was.
Small amounts of personal information can help scammers and hackers put together comprehensive profiles of targets, whether they’re trying to compromise credentials or impersonate a trusted contact (or both). But the data stolen from HWL Ebsworth included a lot more than employee and client information – it included sensitive financial data, government invoices and more.
In other words, the dark web is now awash with even more data that scammers can use to either compromise your organisation or deceive your employees into making fraudulent payments – or simply giving up sensitive information of your own.
There are a few steps that financial leaders can take to defend their organisations:
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
Discover key insights from the OAIC report on data breaches, including the impact of human error and strategies for CFOs to protect their organisations.
Discover key trends from SXSW’s “Friend or Foe: Whose Side is AI on in the Digital Scam Wars?” and how AI is transforming both fraud prevention and execution.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.