In mid-March, IP services group IPH Limited (ASX: IPH) detected unauthorised access to a portion of its IT environment. It subsequently halted trading and launched an investigation into the breach.

The cyber attack was on two of the intellectual property law group’s member firms: Spruson & Ferguson (Australia) and Griffith Hack.

Late last month, the listed IP services group provided an update to the market, noting that it was continuing its response to the “extent of and nature of the unauthorised access to the IT environment and data held within it”, in an investigation that was expected to extend over a number of weeks.

“IPH advises that it has now established new network infrastructure following a strict restoration process, and key system functionality has now been restored. Under the advice of cyber security experts, security has also been further enhanced, including additional preventative and detective controls to protect the IPH network,” the firm said in its market announcement. 

“The new systems are now in use by the two affected IPH member firms, and their transition back to normal operating procedures on these new systems is underway. All other IPH member firms continue to operate as normal.”

(Almost) completed investigation

In a market announcement posted earlier this evening (17 April), IPH noted that its forensic investigation is now “substantially” complete, and it has identified that a “limited set of data” was compromised by an unauthorised third party during the cyber incident.

VIEW ALL

That downloaded data originated from IPH’s Spruson & Ferguson (Australia) business and contained data relating to certain clients of that practice, as well as some historical financial and corporate information.

The listed firm found “no evidence to suggest”, it stressed, that data located on any other component of its IT network, including that of Griffith Hack, was compromised.

IPH is reviewing the downloaded dataset, it said, and is working with Spruson & Ferguson to contact affected clients, as well as ensure it meets its regulatory obligations.

Financial loss

Elsewhere, while the firm was able to enact its business continuity plan in response to the cyber attack, the affected member firms “did experience some business interruption”.

In March, IPH outlined, this disruption contributed to a service charge budget shortfall of “c$4.4 million (in aggregate)” for the two impacted businesses.

However, the firm proclaimed, while that shortfall will result in lost revenue, largely due to time-based charges which may not be recovered, “the event-driven nature of the IPH model means that IPH expects to recover a material proportion of this shortfall as delayed processing or invoicing of such events occurs over time”.

This said, the listed firm ceded, such amounts are difficult to quantify.

IPH also incurred costs in the course of responding to and investigating the cyber incident, it reported, including the engagement of specialist third parties and remediation of its network and IT systems.

“IPH currently estimates $2 to $2.5 million (pre-tax) will be incurred as non-underlying costs in its FY23 accounts related to this incident,” the firm said.

Those costs don’t take into account, it added, any additional costs that may arise out of complaints by affected customers and other individuals, not to mention any regulatory or litigious costs.

IPH is set to finalise its investigation and response to the cyber incident in the coming weeks, it concluded.