Background
The hackers contacted HWLE from an identified email address and claimed to have stolen 4 terabytes of data by infiltrating HWLE’s computer system, including valuable internal data. A ransom of at least $4 million dollars was demanded, or else documents would be released publicly. HWLE was able to verify that the hackers had managed to access and transfer at least 2 million of HWLE’s files out of HWLE’s own servers based at HWLE’s Melbourne office, and this was done from Bulgaria.
After the initial ransom demand, the hackers, who were known to the Australian Signals Directorate (ASD) (the national body entrusted to conduct operations to defend Australians and Australian businesses against cyber risks) made further demands and threats, but HWLE refused to pay the ransom.
In June 2023, the hackers posted further warnings in their online forum on the ‘dark web’, sent a further ransom email to HWLE and eventually released a ‘sample cache’ containing 1.4 terabytes of HWLE on the dark web.
How did HWLE respond?
In response, HWLE commenced legal action against the hackers.
First, HWLE filed a Summons in the NSW Supreme Court seeking an urgent injunction to restrain the Defendants(i.e. the hackers) from dealing with HWLE’s stolen data without HWLE’s consent. Furthermore, HWLE also sought to extend the injunction to any third party in possession of the stolen data.
As HWLE could not identify any of the hackers before the proceedings were commenced, the Summons was filed against “persons unknown”.
On 12 June 2023, the NSW Supreme Court granted an interim injunction against the Defendants, with service of the interlocutory orders sent to the email address that the hackers had used to communicate their demands. The orders were also placed in the forum on the dark web where the hackers had made their threats.
By this stage, HWLE said it had already spent 5,000 hours and $250,000.00 dealing with the hacking incident. By 27 June 2023, the sample cache of HWLE data could no longer be found at the dark web forum where it had previously been identified.
Further Court Proceedings
In August 2023, HWLE filed a Statement of Claim seeking a permanent injunction to prevent use of the stolen data. As before, the Statement of Claim was served on the Defendants via email and the dark web forum.
However, the Defendants failed to appear and, under Orders from the Court, HWLE filed documents for Default Judgement. The Court granted the application and made the following Orders:
- The Defendants and any third party in possession of the data that is made aware of the Orders were restrained from doing any of the following without HWLE’s
- Placing the data on the internet
- Transmitting, publishing or disclosing the data to any person or facilitating such steps;
- Using (including viewing) any information obtained from the data in their possession for any purpose, other than for the purpose of obtaining legal advice in connection with these orders; and
- Promoting, or publishing any links to, locations from which the data may be downloaded.
- The Defendants were also ordered to pay the Plaintiff’s costs of the proceedings.
Although the identity of the hackers was not known and it would be difficult to enforce the Orders against them, an important element of the Orders was that it applied to third parties. The purpose of this was to prevent the stolen information from being distributed and used, and therefore reduce some of the damage caused by the information being stolen.
Further Fallout - National Office of Cyber Security
The seriousness of the HWLE hack prompted the National Office of Cyber Security (NOCS) to prepare a report, including recommendations on how it can better assist organisations when a hack has occurred. The NOCS has committed to:
- Publish resources on the role of NOCS during a cyber security incident and how impacted organisations can request coordinated support to manage the consequences of incidents.
- Develop a playbook for the professional services sector, which will outline how government and industry can work together to respond to an incident impacting the sector.
- Develop processes to support broader engagement with industry and enable other directly impacted industry entities to benefit from a coordinated response to an incident.
- Improve processes for the disclosure of relevant information relating to the coordination of incidents impacting Australian government entities.
- Engage with state and territory governments to better integrate their interests into coordinated consequence management activities, especially when multiple government entities within a jurisdiction are impacted by an incident.
How Sharrock Pitman Legal can help?
When it comes to data breaches and stolen information, whether personal or business-related, time is of the essence.
Being vigilant and acting quickly when a breach is detected is can save your business and keep your customer and corporate information secure.
If you ever find yourself the subject of a ransom claim, urgently seek legal advice. Our Disputes & Litigation team can help you manage the legal consequences of a data breach. Do not hesitate to contact us by email at litigation@sharrockpitman.com.au or telephone 1300 205 506.
Further reading
Hacked? Do you have an obligation to notify under Australia’s Mandatory Data Breach scheme
Taking action against fraud: Protecting your assets and rights
Failure to Adequately Manage Cybersecurity Risks in the Financial Services Industry
The information contained in this article is intended to be of a general nature only and should not be relied upon as legal advice. Any legal matters should be discussed specifically with one of our lawyers.
Liability limited by a scheme approved under Professional Standards Legislation.
Mitchell is the Managing Principal of our law practice.
He is an Accredited Specialist in Commercial Law (accredited by the Law Institute of Victoria). He also deals with areas of Employment Law, Wills & Estate Planning and Probate. For further information, contact Mitchell on his direct line (03) 8561 3318.
