How the HWL Ebsworth hack unfolded, as another Medibank class action is launched

On 28 April 2023, HWL Ebsworth experienced a ransomware attack which resulted in the theft of client information and employee data by a Russian-linked hacking group.  

The attack was first reported by the Australian Financial Review, with the ALPHV/Blackcat ransomware group claiming responsibility for the hack. The group claimed to have acquired four terabytes of company data, including client documents, financial reports, accounting data, credit card information, employee CVs and IDs as well as a network map. 

Following the hack, HWL Ebsworth told LSJ they are continuing to “investigate and gather accurate information in response to the claim that an unauthorised third party has extracted data from our firm”. 

“The privacy and security of our client and employee data remains of the utmost important to us and we are in contact with clients to advise them of the situation and the steps we are taking to deal with the event,” said a representative from the firm. 

“We acknowledge and understand the concern that this will raise for our clients and our people. Our focus remains on providing exceptional service and information to them and maintaining the high standards of our firm.” 

The firm is in contact with its clients to advise them of the situation and are working with the Australian Cyber Security Centre as investigations continue. 

Blackcat is one of the three ransomware groups targeting Australia, operating as a “ransomware-as-a-service” product for hire. They have been actively attacking large organisations in Australia since late 2021.  

Cybersecurity company Sophos previously warned that the group exploits vulnerabilities in unpatched or outdated firewall or virtual private network devices to break into networks. 

The professional and legal services industry has been identified as one of the main targeted industries for cyber-attacks in the Asia-Pacific region, according to a recent study by Palo Alto Networks.  

In response to last year’s cyber-attacks on Optus and Medibank, the Australian Government has increased resources for the Australian Federal Police and appointed a national cybersecurity coordinator.  

Minister for Home Affairs Clare O’Neil said the government sees groups acting for financial gain as “public enemy No 1”.  

“These groups subvert legitimate business models for financial gain, creating online portals for ‘hacking as a service’ where anyone can purchase the tools and support necessary to conduct a cyber incident or data, especially in the form of a ransomware attack,” said O’Neil. 

“These groups represent a threat to our national economic life because every sector, every business that can pay, is a target,” she said. 

Slater and Gordon issues class action against Medibank 

Meanwhile, class action law firm Slater and Gordon has commenced legal proceedings against Medibank on behalf of current and former customers seeking compensation for the data breach that occurred in October 2022.  

It comes within weeks of Slater and Gordon also commencing proceedings against Optus over the data breach that occurred a month before the hack on Medibank, and affected approximately 10 million people.  

The Medibank cyber-attack was carried out by a Russian ransomware group which gradually released customer’s personal information onto the dark web. The affected customers not only include Medibank’s clients but also those of its subsidiary, Australian Health Management (ahm), and travel insurance products.  

Three other law firms, Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers, initiated separate litigation earlier this year.  

Slater and Gordon allege that Medibank failed to take reasonable steps to protect their customers’ personal information, destroy or de-identify information and comply with legal obligations in relation to the collection and storage of data.  

The class action accuses Medibank of breaching its contractual obligations to its customers to ensure that “adequate and appropriate security controls [are] in place”. 

Ben Hardwick, Practice Group leader at Slater and Gordon Class Actions, said it was “one of the most serious data breaches in Australia’s history given the number of people whose information was compromised, and the nature of the information disclosed”. 

“Health information is something most people keep incredibly private and want kept between them, their doctors or health providers, and their insurer,” said Hardwick. 

“Medibank should have had adequate measures in place to prevent all of this, yet they didn’t.”