The HWL Ebsworth ransomware attack shows the importance of understanding your data

Ransomware attacks are mounting; our advice for withstanding them. Plus all the latest in data privacy, security, and governance.

Anthony Woodward


Share on Social Media

Subscribe to FILED Newsletter

Get your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.  

This month:

  • A court rules platforms like Meta can’t hide ugly data usage in their terms of service.
  • The US Securities and Exchange Commission gives public companies four days to disclose data breaches.
  • A new data breach consequence? Getting sued by the NBA.

But first: Time to get serious about ransomware.

If you only read one thing:  

Ransomware is on the rise; you need to prepare

The impact of the HWL Ebsworth ransomware attack continues to grow, with a subsidiary of Regional Express airline (Rex) and Judo Bank announcing they had been exposed as part of the hack.

The Australian law firm was a victim of a cyberattack from Russian-linked ransomware gang ALPHV/Blackcat in late April, with 3.6TB of data stolen and 1.4TB of the data published on the dark web in June.

Rex said “confidential exchanges” between it and a client had been exposed, though Rex Airlines had not been affected, while Judo Bank said it had provisionally contacted customers and employees it believed may have been impacted.

The firm has several hundred clients, making this a supply chain attack.

These clients include the Victorian and Queensland governments, who have also been caught up in the breach. In the case of Victoria, the attackers published highly sensitive legal documents on the dark web. Telecommunications provider Optus was also impacted, less than a year after its own attack for which it faces legal action.

These ransomware hacks sometimes play out in slow motion over a long period, with a steady drip of new details and new victims. So far, the firm says it has spent 5000 hours and AU $250,000 fighting the hack. This process can feel especially drawn out when the target doesn’t know the scale of the impact because they can’t tell what data has been taken. When you have a client list as long as Ebsworth’s, it can feel daunting to consider what other sensitive discussions may be contained in that 3.6TB of data.

Ransomware attacks are growing, and the ecosystem that supports them is evolving. A new report from security consultant and anti-ransomware vendor Halcyon says a seemingly innocuous cloud hosting provider, Cloudzy, may be a front for an Iran-based company that provides command-and-control services to ransomware attackers. The report says threat actors connected to Russian, Chinese, Iranian, and North Korean governments had used Cloudzy’s services, which do not require formal identity verification and accept cryptocurrency as payment. Such services make ransomware attacks easier to launch.

From chaos to confidence  

Contrast this disruption with Fortescue Metals, which shrugged off a ransomware attack (from threat actor C10p, who we discussed here last month) as a minor incident. Their tone? Confident.

Based on lessons from our customers, here is our advice for gaining this tone:

  1. Clean and inventory your digital footprint and remove the data you don’t need.
  1. Prepare for attacks on service providers by ensuring they meet your standards.
  1. Review your business continuity management/disaster recovery processes.
  1. Give your data team the tools they need to execute.
  1. Incorporate cybersecurity expertise into board/governance models.

Ultimately organizations that know their data, its location, and who can access it can confidently respond to these attacks. You must focus on building a comprehensive picture of the data you hold, its level of risk, and who has access. Then you can make better privacy decisions to remove what you don’t need and secure the most sensitive information.

Otherwise, you risk ending up like Ebsworth, or Optus, that nearly a year after its own cyberattack, says it still does not know how much data was stolen.

Privacy & governance  

The Australian Federal Court ordered two subsidiaries of Meta, Meta Israel and Onavo Inc, to each pay AU $10 million for misleading customers. Onavo provided a “free, secure” virtual private network (VPN) service that sent users’ behavioral data to parent company Meta for market research purposes. This was disclosed in the terms of service, but the court ruled this wasn’t good enough.

Speaking of Meta, privacy experts are warning about its new Threads app and the amount of data it collects. Relevant detail: Meta won’t launch the app in the European Union because it’s worried it will breach privacy regulations.

Video conferencing platform Zoom updated its terms to state it will train its AI on user content without an opt-out.

The EU-US Data Privacy Framework (DPF) went live in July, allowing organizations to transfer personal data from the European Economic Area (EEA) to US organizations self-certified under the DPF.

How CISOs can engage the C-suite and board to address cyber risk.

Kenya has suspended the iris-scanning cryptocurrency project Worldcoin due to privacy and safety concerns.

Google launched a dashboard that can alert you if personal information about you appears in search results and allows you to remove the data.


Google’s latest idea to reduce the risk of cyberattacks: don't let employees use the internet. Seems legit.

The United Kingdom Electoral Commission has apologized for a hostile cyberattack that accessed the personal data of 40 million voters. The commission discovered the attack last October and reported it within 72 hours to the Information Commissioner’s Office (ICO) and the National Crime Agency. Ten months later(!), it finally let the public know.

The US Securities and Exchange Commission (SEC) imposed strict new rules requiring publicly listed companies to disclose cyberattacks within four days. Four days is a tight deadline, but this puts the onus on companies to be vigilant and (wait for it) to understand their data.

An unexpected consequence of falling victim to a data breach? Getting sued by Adidas and the NBA for allegedly selling counterfeit goods.

US officials found suspected Chinese malware hidden in various military systems, with its intended use apparently disruption rather than surveillance.

📣The latest from RecordPoint  


APRA’s cybersecurity stocktake suggested financial entities’ struggle to safeguard customer data is caused by a failure to identify and classify critical and sensitive information assets. Read our advice on overcoming this challenge.

Then take a deeper dive into our advice for overcoming other gaps exposed by the stocktake, this time in supply chain security, control testing programs, and incident response.


RecordPoint VP of Engineering Josh Mason joined me for a special one-on-one episode of FILED, discussing how to minimize the impacts of a data breach through proper data management and preparation.  


Get hooked on FILED

This can be a fast-paced, complex industry and it can get overwhelming. FILED is here to help you navigate it.