Judges warn personal details no longer safe in courts
With more Australian companies hit with cyber attacks in recent months, judges have cautioned practitioners against sharing information or using systems that may leave them vulnerable.
In the case management of a class action against Hays Recruitment, Justice Bernard Murphy took issue with the identification details the applicants required of participants – including the tax file numbers, bank account details and their proof of identity.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
“I couldn’t think of a better way to assist a scammer,” he warned.
“I don’t know [who’s] requiring that, whether that’s the respondent or the applicant, but you need to come up with another way.”
The comments came just weeks after global law firm Allen & Overy suffered an attack on its storage systems, with Russian group LockBit claiming responsibility for the attack soon after.
Major firm HWL Ebsworth was hit with a major cyber attack more than six months ago at the hands of another Russian-linked ransomware group known as the ALPHV/BlackCat.
Information such as accounting data, client documentation, credit card information and a network map were released.
Justice Murphy said potential participants in the Hays class action may be unlikely to join if such personal details are required and suggested the firm contact people directly for them.
“I don’t know if either of you would provide your details to a law firm you haven’t met previously and haven’t had any dealings with,” Justice Murphy told the barristers in the room.
Justice Jonathan Beach heard similar concerns in an application concerning the transfer of a Deloitte report into the cyber attack that hit Optus last year and exposed millions of customer details.
During a conversation about which parts of the Deloitte report may need to be redacted, Optus counsel Kate Richardson said it was “not just a confidentiality issue, it’s a cyber security issue”.
Justice Beach agreed he would “loath to allow individuals overseas who may be associated with funders to see this material”.
It was suggested a third independent party could facilitate the transfer and any potential redaction process.
William Edwards, counsel for the applicants and Slater & Gordon, said they had been asked to fill out a questionnaire about features of the system that would hold the Deloitte report.
“Slater & Gordon has a sophisticated and appropriate system, and we would be surprised if our friends would have any concerns once we answer those questions,” Mr Williams flagged.
However, Ms Richardson said it was only the beginning.
“The questionnaire is a starting point, but it’s not enough for our purposes, and we have written to the applicant about the steps we would take in gaining assurance about the level of security.
“Other law firms have been hacked, so it is a significant and real issue,” Ms Richardson said.