The Reserve Bank of Australia, the Department of the Prime Minister and Cabinet, and the Australian Federal Police are among 62 government entities that had sensitive data stolen during last year’s Russia-linked hack at HWL Ebsworth.
Nine months ago, prominent Russia-linked ransom gang AlphV (also known as Blackcat) took to social platform X (formerly Twitter) – claiming to have stolen four terabytes of data from Australian law firm HWL Ebsworth.
Given the law firm held tens of millions of dollars of contracts across several government departments and agencies, it wasn’t long before government officials took urgent action to address fears Commonwealth data may have been caught up in the attack.
The Albanese government established a crisis group to respond to the suspected data theft, and while the incident was eventually confirmed to have impacted NDIS participants, the Office of the Australian Information Commissioner, the Fair Work Ombudsman, and certain Defence projects, the public spent the latter half of 2023 largely in the dark over what Commonwealth data had been stolen.
Now, the government has finally revealed the entire list of government entities impacted by the 2023 data breach, including Prime Minister Anthony Albanese’s department itself.
The full list of agencies – provided to Shadow Minister for Cyber Security and Home Affairs, James Paterson, by the Department of Home Affairs – detailed 62 agencies affected by the HWL Ebsworth hack.
The affected agencies include the Department of Home Affairs itself, the Department of the Prime Minister and Cabinet, the Fair Work Ombudsman, Australia Post, the Reserve Bank of Australia, the Australian Federal Police, and the Australian Competition and Consumer Commission.
The government further admits “sensitive information” including legal advice provided to government entities, personal identifiable information (PII) relating to employees or clients of government entities, and details of “issues relating to national security and law enforcement” was exposed in the landmark hack.
Other exposed data includes vulnerable persons information – such as information relating to people with a disability, victims of crime and certain medical information – as well as corporate information relating to clients, contracts and projects.
Despite the severity of the reported data theft, the revelations come well after the initial April 2023 hack.
Paterson – who sought the list of impacted government entities back in October 2023 – told Information Age the belated turn-around was “concerning”.
“Only the Albanese government can explain why they have kept Australians in the dark for eight months about this very serious and wide ranging breach,” said Paterson.
“Given the sensitivity of the data lost, it is concerning that it is taking so long to get to the bottom of what was lost and to inform the affected parties.
“Australians are entitled to expect better from the federal government, particularly when they hand over such sensitive data to third party organisations like a law firm.
“It is incumbent on the government to ensure when they do so that sufficiently robust cyber security measures are in place to protect it.”
In its response to Paterson, the government emphasised that inclusion on the list “does not imply equal impact” across the detailed entities, and that “varying degrees of impact were observed” in both volume and sensitivity of records exposed.
A spokesperson for Australia Post – one of the entities appearing on the list – told Information Age it “experienced very limited exposure, with no customer data compromised”, while other entities are still working to determine the full impact.
“Some Australian Government entities are still working with HWL Ebsworth to understand the impact to their organisations’ information,” reads the government response.
In total, the AlphV ransomware gang behind the attack stole some 2.5 million documents from the law firm – one million of which were eventually posted online.
Recently, AlphV came to heads with multiple international law enforcement agencies – including the AFP – with the Federal Bureau of Investigation (FBI) boasting it hacked the group’s computer network and distributed some of its decryption keys to victims.
The full list of government entities deemed to have been impacted by the HWL Ebsworth breach:
1. Aged Care Quality and Safety Commission
2. AgriFutures Australia
3. Airservices Australia
4. Australian Broadcasting Corporation
5. Australian Commission for Law Enforcement Integrity
6. Australian Communications and Media Authority
7. Australian Competition and Consumer Commission
8. Australian Criminal Intelligence Commission
9. Australian Curriculum, Assessment and Reporting Authority (ACARA)
10. Australian Digital Health Agency
11. Australian Electoral Commission
12. Australian Federal Police
13. Australian Financial Security Authority
14. Australian Institute of Health and Welfare
15. Australian National University
16. Australian Pesticides and Veterinary Medicines Authority
17. Australian Postal Corporation
18. Australian Securities and Investment Commission
19. Australian Taxation Office
20. Civil Aviation Safety Authority
21. Comcare
22. Commonwealth Grants Commission
23. CSIRO
24. Defence Housing Australia
25. Defence Portfolio
26. Department of Agriculture, Fisheries and Forestry
27. Department of Climate Change, Energy, the Environment and Water
28. Department of Education
29. Department of Employment and Workplace Relations
30. Department of Finance
31. Department of Foreign Affairs and Trade
32. Department of Health and Aged Care
33. Department of Home Affairs
34. Department of Industry, Science and Resources
35. Department of Infrastructure
36. Department of Parliamentary Services
37. Department of Social Services
38. Department of the Prime Minister and Cabinet
39. Department of The Treasury
40. Department of Veterans Affairs
41. Digital Transformation Agency
42. Export Finance Australia
43. Fair Work Ombudsman
44. Geoscience Australia
45. Grains Research and Development Corporation
46. Hearing Australia
47. IP Australia
48. National Disability Insurance Agency
49. National Gallery of Australia
50. National Indigenous Australians Agency
51. National Transport Commission
52. NDIS Quality and Safeguards Commission
53. Northern Australia Infrastructure Facility
54. Office of Chemical Safety (AICIS)
55. Office of Parliamentary Counsel
56. Office of the Australian Information Commissioner
57. Organ and Tissue Authority
58. Regional Investment Corporation
59. Reserve Bank of Australia
60. Services Australia
61. Torres Strait Regional Authority
62. WSA Co Limited