The Reserve Bank of Australia, the Department of the Prime Minister and Cabinet, and the Australian Federal Police are among 62 government entities that had sensitive data stolen during last year’s Russia-linked hack at HWL Ebsworth.

Nine months ago, prominent Russia-linked ransom gang AlphV (also known as Blackcat) took to social platform X (formerly Twitter) – claiming to have stolen four terabytes of data from Australian law firm HWL Ebsworth.

Given the law firm held tens of millions of dollars of contracts across several government departments and agencies, it wasn’t long before government officials took urgent action to address fears Commonwealth data may have been caught up in the attack.

The Albanese government established a crisis group to respond to the suspected data theft, and while the incident was eventually confirmed to have impacted NDIS participants, the Office of the Australian Information Commissioner, the Fair Work Ombudsman, and certain Defence projects, the public spent the latter half of 2023 largely in the dark over what Commonwealth data had been stolen.

Now, the government has finally revealed the entire list of government entities impacted by the 2023 data breach, including Prime Minister Anthony Albanese’s department itself.

The full list of agencies – provided to Shadow Minister for Cyber Security and Home Affairs, James Paterson, by the Department of Home Affairs – detailed 62 agencies affected by the HWL Ebsworth hack.

The affected agencies include the Department of Home Affairs itself, the Department of the Prime Minister and Cabinet, the Fair Work Ombudsman, Australia Post, the Reserve Bank of Australia, the Australian Federal Police, and the Australian Competition and Consumer Commission.

The government further admits “sensitive information” including legal advice provided to government entities, personal identifiable information (PII) relating to employees or clients of government entities, and details of “issues relating to national security and law enforcement” was exposed in the landmark hack.

Other exposed data includes vulnerable persons information – such as information relating to people with a disability, victims of crime and certain medical information – as well as corporate information relating to clients, contracts and projects.

Despite the severity of the reported data theft, the revelations come well after the initial April 2023 hack.

Paterson – who sought the list of impacted government entities back in October 2023 – told Information Age the belated turn-around was “concerning”.

“Only the Albanese government can explain why they have kept Australians in the dark for eight months about this very serious and wide ranging breach,” said Paterson.

“Given the sensitivity of the data lost, it is concerning that it is taking so long to get to the bottom of what was lost and to inform the affected parties.

“Australians are entitled to expect better from the federal government, particularly when they hand over such sensitive data to third party organisations like a law firm.

“It is incumbent on the government to ensure when they do so that sufficiently robust cyber security measures are in place to protect it.”

In its response to Paterson, the government emphasised that inclusion on the list “does not imply equal impact” across the detailed entities, and that “varying degrees of impact were observed” in both volume and sensitivity of records exposed.

A spokesperson for Australia Post – one of the entities appearing on the list – told Information Age it “experienced very limited exposure, with no customer data compromised”, while other entities are still working to determine the full impact.

“Some Australian Government entities are still working with HWL Ebsworth to understand the impact to their organisations’ information,” reads the government response.

In total, the AlphV ransomware gang behind the attack stole some 2.5 million documents from the law firm – one million of which were eventually posted online.

Recently, AlphV came to heads with multiple international law enforcement agencies – including the AFP – with the Federal Bureau of Investigation (FBI) boasting it hacked the group’s computer network and distributed some of its decryption keys to victims.

The full list of government entities deemed to have been impacted by the HWL Ebsworth breach:

1. Aged Care Quality and Safety Commission

2. AgriFutures Australia

3. Airservices Australia

4. Australian Broadcasting Corporation

5. Australian Commission for Law Enforcement Integrity

6. Australian Communications and Media Authority

7. Australian Competition and Consumer Commission

8. Australian Criminal Intelligence Commission

9. Australian Curriculum, Assessment and Reporting Authority (ACARA)

10. Australian Digital Health Agency

11. Australian Electoral Commission

12. Australian Federal Police

13. Australian Financial Security Authority

14. Australian Institute of Health and Welfare

15. Australian National University

16. Australian Pesticides and Veterinary Medicines Authority

17. Australian Postal Corporation

18. Australian Securities and Investment Commission

19. Australian Taxation Office

20. Civil Aviation Safety Authority

21. Comcare

22. Commonwealth Grants Commission

23. CSIRO

24. Defence Housing Australia

25. Defence Portfolio

26. Department of Agriculture, Fisheries and Forestry

27. Department of Climate Change, Energy, the Environment and Water

28. Department of Education

29. Department of Employment and Workplace Relations

30. Department of Finance

31. Department of Foreign Affairs and Trade

32. Department of Health and Aged Care

33. Department of Home Affairs

34. Department of Industry, Science and Resources

35. Department of Infrastructure

36. Department of Parliamentary Services

37. Department of Social Services

38. Department of the Prime Minister and Cabinet

39. Department of The Treasury

40. Department of Veterans Affairs

41. Digital Transformation Agency

42. Export Finance Australia

43. Fair Work Ombudsman

44. Geoscience Australia

45. Grains Research and Development Corporation

46. Hearing Australia

47. IP Australia

48. National Disability Insurance Agency

49. National Gallery of Australia

50. National Indigenous Australians Agency

51. National Transport Commission

52. NDIS Quality and Safeguards Commission

53. Northern Australia Infrastructure Facility

54. Office of Chemical Safety (AICIS)

55. Office of Parliamentary Counsel

56. Office of the Australian Information Commissioner

57. Organ and Tissue Authority

58. Regional Investment Corporation

59. Reserve Bank of Australia

60. Services Australia

61. Torres Strait Regional Authority

62. WSA Co Limited