Cyber Incident Victim: Mahoney Horner Lawyers

On or around April 29, 2023, Mahoney Horner Lawyers, a Wellington-based law firm, experienced a significant cyber incident. The breach was not a direct attack on the firm's own systems but was the result of unauthorized access to a third-party server operated by Lantech Services. This unauthorized access led to the copying of client data held by the law firm. The firm became aware of the incident and, on May 30, 2023, formally notified the Office of the Privacy Commissioner of New Zealand that they had been impacted by this cyber hack. The notification indicated the attack on Lantech Services had occurred the previous day, establishing a timeline where the data compromise happened on or about April 29.

The primary impact of the incident was the theft of sensitive client information. The data copied by the unauthorized third party included comprehensive client files. The firm stated that if a client had provided a copy of their driver’s licence or passport within the preceding three years, it was highly likely that copy was included in the exfiltrated data. Furthermore, the compromised information extended beyond simple identification documents to include entire case narratives and account details, constituting a full breach of the confidential legal matters clients had entrusted to the firm.

By Monday, May 1, 2023, Mahoney Horner Lawyers began communicating with its clientele regarding the breach. The firm sent an email to clients providing an update on the cyber incident. This communication acknowledged the seriousness of the situation, stating there was a “real risk” that the copied information could ultimately be leaked. The email explained that the firm's immediate priority was to conduct a thorough analysis to confirm exactly what personal information had been copied and to identify high-risk data. This process was described as time-consuming, which delayed the firm's ability to make personal contact with every individually affected client on a swift basis.

In its communication, the firm was explicit about the potential consequences of a data leak. It stated that the most likely use of the stolen data would be for attempted financial fraud, particularly through the exploitation of government-issued identification documents like driver's licences and passports. The firm expressed profound regret for the breach, apologizing for the impact on clients and acknowledging that the information was provided to be held in the strictest confidence. The breach was attributed to the unauthorized access of the third-party server, shifting the point of failure to their service provider, Lantech Services.

The response from an affected client, who chose to remain anonymous, highlighted the personal impact and frustration. The client reported being “pissed off” and “pretty upset” upon receiving the list of what had been taken, describing it as “your entire narratives and files with your account.” This client expressed significant concern that their confidential legal information and identifying documents were now in the hands of criminals, potentially in another country, and lamented the feeling of powerlessness. The client also criticized the firm's security posture, stating it was “basic 101” that companies should have client confidential information encrypted, implying this safeguard was not in place to prevent the data from being accessed in a usable form.

In response to the incident, Mahoney Horner Lawyers initiated several support measures for affected clients. The firm was working alongside cybersecurity experts to help monitor the internet and dark web for any potential use or public leak of the copied information. As of the May 1st communication, the firm’s understanding was that the information had not yet been used, but the risk of leakage was deemed very real. The firm committed to keeping clients informed about any possible release of their data. Furthermore, the firm announced it was arranging for an independent third party to be made available for affected clients to contact, thereby providing a avenue for obtaining independent advice and support to deal with the situation's impact.

To address the specific risk posed by the theft of government IDs, the firm offered practical solutions. Elspeth Horner, the firm's principal, confirmed that Mahoney Horner Lawyers had offered to pay the replacement costs for new driver’s licences for impacted clients. Regarding passports, the firm relayed advice received from the Department of Internal Affairs (DIA), which indicated that replacing passports was not necessary. Instead, clients were advised to contact the DIA directly to have an alert placed on their passport. This alert would trigger a phone call to the legitimate passport holder if an unauthorized party attempted to apply for a new passport using their stolen details.

The firm also provided clients with an information sheet detailing steps they could take to safeguard themselves from personal risk, such as potential financial fraud. Clients were encouraged to review this information and take proactive measures to protect themselves, even if the firm had not yet confirmed the specific pieces of their data that were involved. This guidance was issued under the precautionary principle due to the high likelihood that identification documents had been compromised.

Organizationally, Mahoney Horner Lawyers maintained ongoing communication with regulatory bodies and stakeholders. The firm kept the Office of the Privacy Commissioner informed and updated throughout its response to the incident. A spokesperson for the Privacy Commissioner confirmed their office was working alongside both Mahoney Horner Lawyers and Lantech Services as they responded to the incident. Despite the disruptive event, the law firm stated that it had resumed business as usual operations, indicating that some level of containment and recovery had been achieved, though the full investigation and monitoring efforts were ongoing. The firm declined to provide additional commentary beyond its public statements, directing inquiries to the update posted on its website.