Local firms could face cyber challenges after High Court supports ATO’s use of leaked data

By Tim Dillon|16 September 2019

In August, Glencore lost its High Court battle against the Commissioner of Taxation to keep information leaked as part of the Paradise Papers from being used by the Australian Taxation Office (ATO) to assess its tax bill. The Court’s decision essentially means that Glencore cannot rely on legal privilege to prevent the ATO from accessing relevant information contained in the Paradise Papers document trove and other similar information leaks resulting from illegal hacks, Tim Dillon writes.

This is important, because while the High Court’s decision clearly has an immediate impact on how the ATO approaches legal privilege, it could also have knock-on effect for the country’s legal industry in terms of cyber security and risk.

Second commissioner Jeremy Hirschhorn said in response to the Court’s ruling that “taxpayers are only one data leak away from their entire affairs being exposed”.

If taxpayers are now only “one data leak” away from their financial affairs being exposed, regardless of legal privilege, it is entirely possible that cyber criminals may begin looking at ways to capitalise on the perceived value of the kind of sensitive information held by law firms.

With this in mind, below are a few of the more successful attack types that law firms should watch out for and some tips about how best to prevent them from becoming a problem:

Social engineering – Social engineering is perhaps the most widespread and successful practice employed by cyber criminals today. It involves deception, manipulation or coercion of individuals, frequently through messaging channels like email or social media.

Some of the best ways to defend against phishing, and indeed social engineering more broadly, are regular training, attack simulations and information sessions among an organisation’s personnel, from the very bottom of the business, all the way to the very top, including the board.


Moreover, these training and simulation activities provide invaluable information with which to boost an organisation’s overall resilience against attacks. Indeed, NCC Group often uses the results from consultant-led phishing exercises in staff, C-level and board security awareness training to help demonstrate worst-case scenarios.

Exploitation of configuration and software vulnerabilities –There are innumerable kinds of vulnerabilities and associated weaknesses in software that hackers may choose to draw upon to compromise business systems.

The best way to protect against these threats is ensuring a robust asset management system that identifies and holds individuals responsible for keeping software securely configured.

A centralised software patch management regime is also important, and will help to keep applications and systems regularly updated with fixes protecting against known vulnerabilities.

However, organisations should also make use of a vulnerability management solution that regularly scans for issues missed in configuration and patch management, along with regular penetration testing of the relevant software, services or digital platforms.

Distribution of malware – Malware, a portmanteau of “malicious” and “software”, comes in many varieties. It is essentially any program or file that can harm or compromise a computer, server, network or client. Ransomware, spyware, Trojan horses and worms are all forms of malware.

Malware is commonly delivered via phishing emails and messages, a method that typically employs some level of social engineering, although there are other delivery methods, including fake or compromised websites and supply chain compromise.

As with social engineering, training, simulated attacks and information sessions present an effective means of defence against malware exploits, alongside technical solutions such as operating system hardening, antivirus software and regular software updates.

Guessing weak passwords and exploiting re-used passwords
This is probably the leading cause of business email compromise (BEC) and the scams that stem from them which, according to the Australian Competition and Consumer Commission (ACCC), resulted in more than $5.4 million in reported losses by local businesses in the first six months of 2019.

Attackers can use breach data, either publicly available or sold on the dark web, to identify email and password pairs of the target law firm based on the company’s registered domains. Those emails and password pairs can then be used to wiggle the door handle of any login system facing the internet until they successfully gain access.

A good starting point to defend against such attacks is a company policy enforcing strong passwords and regular password changes. Encouraging users to migrate to passphrases over passwords is a good start, while multi-factor authentication – the use of at least two factors to authenticate access to a system – is another important step.

While these are just a few of the things law firms may want to watch out for, they are among the most popular ways criminals exfiltrate information from target organisations. The steps outlined above should be taken in conjunction with a broader cyber security strategy that spans the entire organisation.

Tim Dillon, NCC Group director of technical security consulting, APAC

Local firms could face cyber challenges after High Court supports ATO’s use of leaked data
Intro image
lawyersweekly logo


When and why will in-house teams choose NewLaw firms?

What advocacy for women in sport has taught Mary Konstantopoulos about her in-house work

‘As a leader, I should be setting an example’: Q&A with Nicole Birman

You’re never going to finish your to-do list, so stop sacrificing your health for it