NDIS Agency Faces Risk Of Leaked Sensitive Client Information Following HWL Ebsworth Hack

Following a major cybersecurity breach targeting law firm HWL Ebsworth, which has represented the National Disability Insurance Scheme (NDIS) Agency in Australia, the agency is urgently investigating the potential exposure of sensitive client information related to appeal cases.

The ALPHV/Blackcat ransomware group, believed to have Russian links, announced on the dark web in late April that they had successfully hacked data from the law firm. Subsequently, the group released a portion of the stolen data, amounting to 3.6TB, with 1.1TB already made public.

During the recent holiday weekend, HWL Ebsworth obtained a non-publication order from the NSW supreme court to prevent further dissemination of the compromised material. As a result, clients of the law firm will have to rely on the firm’s communication to determine if their sensitive information has been affected by the breach.

As HWL Ebsworth, the law firm targeted in the cyberattack, has numerous clients, including several federal government agencies, the potential impact of the breach extends beyond the law firm itself. The National Disability Insurance Agency (NDIA), responsible for managing the NDIS, has expressed concerns about whether their information may have been compromised and is actively seeking clarification.

The NDIA spokesperson stated “The [NDIA] is engaging with HWL Ebsworth regarding the cyber incident experienced by HWL Ebsworth and whether any NDIA information has been affected”.

HWL Ebsworth has been representing the NDIA in legal appeals related to client NDIS plans. At the time of September last year, there were approximately 4,000 appeals awaiting resolution, but efforts have been made by the new government to address the backlog and expedite the process.

Court documents obtained by Guardian Australia indicate that at least one individual involved in a case against a government agency has discovered their personal information within the leaked data resulting from the cyberattack. In an affidavit, Russell Mailler, Chief Strategy Officer at HWL Ebsworth, confirmed that the affected person “contacted the firm regarding personal information about him that he has found in the [hack]”.

Mailler further stated that “He has referred to three other applicants in similar matters whose data he has also apparently viewed.”

HWL Ebsworth, the law firm affected by the cyber breach, is currently engaged in a thorough and expedient examination of the compromised data, although specific clients have not been disclosed by the firm.

The Office of the Australian Information Commissioner (OAIC), the country’s principal privacy authority, confirmed that it is also a client of HWL Ebsworth and has been impacted by the breach. The OAIC reported that a limited number of its files were included in the leaked documents.

As part of its breach reporting obligations, HWL Ebsworth notified the OAIC about the data breach, and it will be the responsibility of the regulator to investigate how the law firm safeguarded private information.

According to court documents, HWL Ebsworth initially overlooked the ransom threats from the ALPHV/Blackcat group, as the first email was mistakenly marked as spam by recipients, and the second email was filtered out by the firm’s anti-spam system. It was only after the dark web post emerged and a third email was received that the firm realized the authenticity of the claims.