BlackCat ransomware gang publishes 1.4TB of data stolen from Australian law firm HWL Ebsworth

Leading Australian law firm HWL Ebsworth suffered a significant data breach that involved threat actors accessing and stealing around 4 terabytes of data from the firm’s internal network.

In a data security incident notice, HWL Ebsworth said that on April 28, the notorious ALPHV/BlackCat ransomware gang uploaded a post on the dark web forum claiming to have infiltrated its internal systems and stolen vast amounts of data.

The law firm said it immediately engaged cyber security experts McGrathNicol to investigate the security incident and determine the scope of the same.

“The investigation indicates the threat actor had accessed and exfiltrated certain information on a confined part of the firm’s system, but not on our core document management system,” it said.

According to reports, the BlackCat ransomware gang demanded a ransom payment from the law firm and threatened to publish the stolen data if its demands weren’t met.

Reports also suggested that the ransomware gang infiltrated the employees’ systems and stole around 4 terabytes of data that included client and staff documents. An affidavit filed in the Supreme Court of New South Wales contained portions of negotiation happening between the law firm and the ransomware gang.

According to the negotiation log, HWL Ebsworth told the hackers that they were “trying our best” and said the partners in the firm had planned to meet on 1st May to discuss the matter.

“We will get back to you after our Monday meeting. We trust that there will be no surprises until then. It seems we both understand the consequences of data being posted,” the firm said.

“We warn you that if payment is not made, the information will be published in the public domain,” the ransomware gang replied. “I think you will understand how much data is worth after publishing. Upon receipt of reputational damage, fines from the state and courts. You are losing even more money than we ask. For your company, the fact that you pay this amount and forget about it will not matter much.”

When the law firm decided against paying the ransom, the group published around 1.4 terabytes of the stolen data on the dark web and threatened to publish the remaining data soon.

HWL Ebsworth acknowledged the data leak in late June, stating that “on 9 June 2023, we became aware that the threat actor had published on their dark web forum at least some of the data they claim to have taken.”

HWL Ebsworth’s chief strategy officer Russell Mailler said that the firm has notified the Australian Cyber Security Centre about the security incident and is working with them till the incident is resolved.

“The privacy and security of our client and employee information is of the utmost importance to us. As soon as we learned of this potential incident, we acted quickly to respond to the threat and have been working with third-party experts to determine the validity of the claims, and to ensure the ongoing safety and security of our systems.

“We will continue to provide updates to our stakeholders, as appropriate, as new information becomes available. While investigations are ongoing, our operations are not impacted, and our focus remains on providing exceptional service for our clients to the high standards of our firm,” Mailler said.