Fallout from the HWL Ebsworth has resulted in 16 current and former Australian Federal Police (AFP) personnel being the most at risk.

Responding to questioning by Senator and shadow cyber security minister James Paterson (pictured), AFP chief operating officer Charlotte Tressler revealed that a total of 67 current and former AFP members were affected in the breach.

“Overall, 67 current and former AFP appointees were affected. Fifty-one of those weren’t related to what we call a notifiable breach,” she told the legal and constitutional affairs legislation committee early last week.

“That sort of information included things like mobile phone numbers, names, et cetera. We did have 16 current and former members that did have a notifiable breach, and we assessed that there would be a potential risk of serious harm to those appointees.”

While Tressler did not specify the nature of the critical information released for the 16, she told Paterson that it is evaluating its processes and the way it will screen the security standards of third-party service providers in the future.

“We’re looking at a range of matters into that. In particular, we’re looking at what we’re calling a third-party risk management handbook, which is being drafted,” she said.

“We’re still going through our clearance processes but need to have that in place. It will look at roles and responsibilities for key stakeholders, deadlines, and time frames around our procurement processes, ensuring that we’re assessing the risk is associated with particular arrangements.

VIEW ALL

“We [are] also refreshing the risk assessment process that we use when contracting with providers. From a legal perspective as well, we’ve been strengthening the standard clauses that get included into a contract so that we’ve got greater protections.

“Our IT area is also looking at trialling a tool that will help strengthen these arrangements further.”

Tressler also added that the AFP had engaged support services for the 16 critically affected AFP personnel.

On top of IDCARE, the national identity and cyber support community service that HWL Ebsworth had engaged for victims free of charge, it has also offered them security advice, as well as tips for mitigating the impact they may face. They also offered mental health and wellbeing support.

The HWL Ebsworth breach of April 2023 rocked the nation, affecting 65 government agencies, including the Office of the Australian Information Commissioner (OAIC) and major organisations like the big four banks.

In September, the hacking group claiming responsibility for the breach, ALPHV, published 1.1 terabytes of the data it had claimed to have stolen, which later was found to be 3.6 terabytes of data.

In response to the breach, HWL Ebsworth engaged several measures to limit the impact of the breach, including a court injunction that “seeks to prohibit further access to, use, dissemination or publishing of the data disclosed on the dark web, including by the media”, saying it believed this would be against public interest.

Despite experts warning that cyber criminals who have already committed crimes by stealing the data were unlikely to adhere to the injunction, it went ahead.

This has landed HWL Ebsworth in even more hot water, as some of its victims have only just been notified about being impacted six months after the breach occurred, as it meant only HWL Ebsworth themselves could analyse the data and inform those whose data was compromised.

The law firm claimed that the reason that it took so long for the victims to be notified was that there was a large volume of data stolen and that determining what was compromised and who was affected required manual analysis.

“A very large volume of data was extracted, but it was not immediately apparent the extent of the impact to personal information,” said HWL Ebsworth.

“A complex manual review was needed to assess what personal information was involved and identify affected persons.”