In April 2023, national law firm HWL Ebsworth was attacked by Russian ransomware group ALPHV (BlackCat). Approximately 4TB of data was exfiltrated before encryption. The stolen data included confidential legal files relating to government agencies — including the Australian Federal Police, the National Disability Insurance Agency, and multiple state governments — as well as financial institutions and private clients.
Why Professional Services Firms Are Targets
Law firms, accounting firms, and management consultancies hold some of the most concentrated high-value data in the economy. Client files contain commercially sensitive information, legal strategies, financial records, and personal information. A single successful attack on a professional services firm provides access to data relating to dozens or hundreds of clients simultaneously.
The Government Data Exposure
The HWL Ebsworth incident highlighted a category of risk that government agencies had not adequately assessed: the security posture of their legal and advisory service providers. Confidential government data was exposed not through a breach of government systems but through a breach of a private sector firm handling that data. Supply chain risk is not hypothetical.
The ALPHV Double Extortion Model
ALPHV threatened to publish the stolen data publicly if the ransom was not paid. HWL Ebsworth declined to pay. ALPHV published a substantial portion of the data. The firm subsequently sought and obtained injunctions in Australia to prevent further publication — a legal response to a technical incident that illustrated the complexity of ransomware consequences.
What Professional Services Firms Should Do
A formal cyber security assessment is the starting point — understanding current exposure before an incident occurs. Specific priorities for professional services: privileged access management for matters containing sensitive client data, robust MFA across all systems, data classification to identify the highest-value files, and an incident response plan tested before it is needed.
Do professional services firms face specific regulatory obligations after a breach?
Yes. Law firms, accounting firms, and others subject to professional conduct rules may have obligations to notify affected clients beyond the requirements of the Notifiable Data Breaches scheme. Specific obligations vary by profession and regulator. Legal counsel should be involved early in any incident response for a professional services firm.
