A Wellington law firm is warning clients there is a “real risk” their information could be leaked following a cyberattack - and one client says he’s “pissed off” the company didn’t have the information encrypted.
A leak would also most likely lead to the client data being used to attempt to commit financial fraud, the firm said.
Mahony Horner Lawyers sent out an email to clients on Monday providing an update on a recent “cyber incident” which had affected the firm and data they hold for their clients.
“Our priority is confirming what personal information has been copied,” the email read.
“It is taking some time for us to analyse the information and identify high-risk data so we can make personal contact on an individual basis. If you have given us a copy of your driver’s licence or passport within the last three years then unfortunately it is likely the copy we held has been included in the data taken by the unauthorised third party.”
They recommended those clients consider taking steps to protect themselves even if the law firm had not yet confirmed to them what parts of their personal data were affected.
“We are also looking to shortly have an independent third party available to be contacted by affected clients so that you can obtain independent advice and support for this situation and its impact on you.”
The firm is working with cyber security experts to help them monitor any potential use or leak of the copied information.
“At present we remain of the understanding that the information has not been used – however we now believe there is a real risk that it could ultimately be leaked.”
They would keep clients informed about any possible release of the data.
“We appreciate that all information you gave us was provided for us to hold in the strictest of confidence. We are very sorry that the confidentiality of that information has been breached through unauthorised access to the third-party server.
“If there is a leak of the data, we understand the most likely use of that data would be for the purposes of attempted financial fraud – particularly through the use of government-issued IDs.”
They provided an information sheet with steps clients could take to safeguard their personal risk, and encouraged them to look at it.
“We appreciate it is distressing and inconvenient to be affected by this cyber incident – we are very sorry for the impact of this situation on you.”
An affected client, who did not want to be identified, said he was “pissed off” this had happened.
“I’m pretty upset. I got the list through of what these people had taken. It’s your entire narratives and files with your account.”
He said confidential information on his legal matters had been taken, along with identifying documents.
“I’m not very happy about that, it’s pretty bad.”
He said it was basic 101 that companies should have their clients’ confidential information encrypted.
“You don’t feel like you can do anything, can you, really? Some criminal in Romania somewhere has got that stuff. Who knows what they’ve got and where it turns up?”
The man wanted people to know what had happened, because it was “about educating people and it’s about forcing companies to be responsible”.
The firm’s principal, Elspeth Horner, confirmed they have offered to pay replacement costs for new driver’s licences, but said the advice from the Department of Internal Affairs (DIA) was that passports would not need to be replaced. Clients can contact the DIA and have an alert placed on their passport so if an unauthorised party tries to apply for a new passport using their details, they will receive a phone call.
She declined to comment further, beyond what was already in a statement on the firm’s website.
The statement said they were now operating business as usual, and keeping the Office of the Privacy Commissioner and all stakeholders informed and updated.
A spokesperson for the Privacy Commissioner said Mahoney Horner Lawyers notified it on May 30 that they had been impacted by a cyber-hack of Lantech Services that occurred a day earlier.
“We have been working alongside both organisations as they respond to this incident.”
Melissa Nightingale is a Wellington-based reporter who covers crime, justice and news in the capital. She joined the Herald in 2016 and has worked as a journalist for 10 years.