Cyber Incident Victim: Optus

In April 2023, Optus was implicated in a significant data breach resulting from a major cyber attack on the Australian law firm HWL Ebsworth. This incident occurred less than a year after Optus suffered one of the largest cyber attacks in Australian history. The breach was not a direct attack on Optus's own infrastructure but was instead a consequence of the compromise of files held by its external legal counsel. The stolen data included information relating to an investigation by the Office of the Australian Information Commissioner (OAIC) into Optus that had been launched in 2021. This was a separate investigation from the one the OAIC initiated following Optus's own major data breach in September 2022.

The attack on HWL Ebsworth was carried out by the Russian-backed ALPHV hacking group, which successfully exfiltrated approximately 1.45 terabytes of data from the law firm. The threat group subsequently contacted HWL Ebsworth with ransom demands, threatening to publish the stolen information publicly if their demands were not met. ALPHV employed a tactic known as "big game hunting," deliberately targeting high-profile organizations to obtain sensitive information that could be held at risk. This group was identified as one of the most prolific threat actors in Australia, having compromised at least 14 Australian organizations, with a particular focus on the professional services sector. A notable escalation in their tactics involved posting stolen data on the public internet instead of restricting its distribution to the dark web.

Optus became aware that it had been affected by the HWL Ebsworth breach and engaged in dialogue with the OAIC. The telecommunications company stated it was working with the commissioner's office to determine the full extent to which its information was compromised in this incident. Optus committed to reviewing all documentation provided by HWL Ebsworth that was related to the firm and promised to contact any individuals whose data may have been impacted. The company did not immediately confirm whether the stolen data included specific customer information or personal details.

The HWL Ebsworth attack had widespread repercussions, affecting a large number of major Australian organizations beyond Optus. The list of affected entities included the big four banks, multiple federal government departments, state government departments, and the OAIC itself. This broad impact underscored the significant risk posed by attacks on service providers that hold data for numerous clients. In response to the breach, HWL Ebsworth maintained a firm stance against paying the ransom. The law firm publicly stated that its top priority was to protect the community and that it refused to reward the activities of cyber criminals. It emphasized a fundamental civic duty to not encourage or condone criminal extortion activities.

The incident represented a case of indirect data exposure for Optus, stemming from a third-party supplier's security failure. The compromised data was part of legal proceedings and regulatory investigations, rather than primary customer databases. The consequences of the breach involved potential regulatory and privacy implications for Optus, given the sensitive nature of information shared with legal counsel during an official investigation. The company's response focused on assessment and notification, working through the details provided by the law firm to understand the scope of what was taken. The broader consequence was a renewed focus on supply chain security and the vulnerabilities inherent in sharing sensitive data with external partners, even those with presumed robust security protocols.