The agency responsible for the national disability insurance scheme is scrambling to learn whether sensitive client information related to appeal cases has been caught up in a large cybersecurity hack on the law firm HWL Ebsworth which has represented the agency.
The Russian-linked ALPHV/Blackcat ransomware group said in a post on the dark web in late April that data from the law firm had been hacked. Earlier this month, the group published some of the data it claimed to have stolen – later established to be 3.6TB worth of data, of which 1.1TB has been posted.
Over the King’s birthday long weekend, the law firm obtained a non-publication order in the NSW supreme court attempting to prevent dissemination of the published material. One outcome of the injunction is that HWL Ebsworth clients must wait for the firm to inform them if their sensitive information has been caught up in the breach.
HWL Ebsworth has several hundred clients including dozens of federal government agencies, according to Austender contracts.
On Tuesday, the National Disability Insurance Agency – which manages the NDIS – said it was seeking information on whether it had been caught up in the hack.
“The [NDIA] is engaging with HWL Ebsworth regarding the cyber incident experienced by HWL Ebsworth and whether any NDIA information has been affected,” the spokesperson said.
The firm has represented the NDIA in legal appeals brought against the agency regarding client NDIS plans. As of September last year, there were nearly 4,000 appeals backlogged; however, the new government has been working to clear the caseload.
According to court documents for the case, obtained by Guardian Australia, at least one person with a case against a government agency has found their information in the leaked data. In an affidavit, HWL Ebsworth’s chief strategy officer, Russell Mailler, said the person “contacted the firm regarding personal information about him that he has found in the [hack]”.
“He has referred to three other applicants in similar matters whose data he has also apparently viewed,” Mailler said.
The firm wouldn’t comment on specific clients, but said it was continuing to do a detailed and comprehensive review of the data as swiftly as it can.
Australia’s chief privacy authority, the Office of the Australian Information Commissioner, last week said it was also a client of the firm and had been caught up in the breach, with “a document or documents relating to a limited number of OAIC files” included.
HWL Ebsworth had to notify the OAIC about the data breach as part of its overall breach reporting obligations, and the regulator will be responsible for any investigation into how the firm secured private information.
Court documents revealed HWL Ebsworth initially overlooked the ransom threats from ALPHV/Blackcat because the first email was marked as spam by those who received it, and the second email was caught in the firm’s anti-spam filters. It wasn’t until the post on the dark web came to light and a third email was received that the firm became aware of the legitimacy of the claims.
According to emails included in the affidavit, the hackers were seeking US$4m, to be transferred in cryptocurrency.
Michael DeBolt, chief intelligence officer with cybersecurity firm Intel 471, said ALPHV remains in the top three of ransomware groups at the moment. DeBolt said the group isn’t particularly focused on one country or one sector.
“ALPHV and its affiliates have conducted attacks around the world and across many industries, which suggests the group is mostly opportunistic when it comes to targeting,” he said. “Most of its attacks have taken place in North America, Europe and Asia. A small percentage took place in Oceania.
“This year, ALPHV has attacked organisations in verticals including manufacturing, energy, financial services and the legal sector, amongst others.”
He said it would be hard to predict how ALPHV would react to the court injunction taken out against them, but ransomware actors in the past have shown interest in how they’re portrayed in the media.
On Monday, NAB also said it was assessing whether it was in the hack.