This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Judo Bank

Summary

Judo Bank experienced indirect exposure to the HWL Ebsworth law firm data breach in 2023. While Judo Bank's own systems remained secure, customer and employee information shared with HWL Ebsworth for legal services was potentially compromised in the ransomware attack on the law firm. The bank provisionally contacted affected individuals and worked with HWL Ebsworth to ensure proper notifications under the Notifiable Data Breaches scheme.

What Happened

In 2023, HWL Ebsworth, a major Australian law firm, suffered a significant ransomware attack by the ALPHV/BlackCat threat group. Judo Bank, which had used HWL Ebsworth for legal services for only a short time, was among the organisations whose data was potentially exposed in the breach.

The breach occurred through HWL Ebsworth's systems rather than Judo Bank's infrastructure. Judo Bank's own systems were not impacted and remained secure throughout the incident. However, confidential information that Judo Bank had shared with the law firm as part of their professional relationship was potentially accessed by the attackers.

Impact on Individuals

Customers and employees who may have had their information shared with HWL Ebsworth as part of legal matters were potentially affected. The types of information potentially compromised would have included personal details, contact information, and potentially financial information related to legal services.

Judo Bank provisionally contacted customers and employees who may have been impacted by the incident to alert them to the potential exposure of their information. The bank emphasised that its own systems and the broader customer database remained secure.

Organisational Response

Judo Bank worked closely with HWL Ebsworth to ensure affected individuals were formally notified under the Notifiable Data Breaches scheme. The bank took a proactive approach by provisionally contacting potentially affected individuals before the full scope of the breach was determined.

The incident demonstrated the cybersecurity risks associated with third-party service providers, particularly professional services firms that hold sensitive client information. Judo Bank's systems remaining secure highlighted that the vulnerability existed within the service provider's infrastructure rather than the bank's own cybersecurity controls.

Verification Source: View original statement