As previously announced, on 13 March 2023 our parent company, IPH Limited (IPH) detected that a portion of its IT environment had been subject to unauthorised access. This access was primarily limited to the document management systems of the IPH head office and two IPH member firms in Australia, Spruson & Ferguson (Australia) and Griffith Hack, and the practice management systems of these two IPH member firms.
Upon becoming aware of the incident, IPH immediately isolated these systems, removed them from its network, and implemented its Business Continuity Plan to resolve the cyber incident.
As announced on 24 March 2023, IPH subsequently established new network infrastructure following a methodical restoration process. Key system functionality has now been restored. Supported by leading external cyber security experts, IPH has also applied enhanced cyber security measures, including additional preventative and detective controls to protect the IPH network.
Forensic update
IPH’s forensic investigation is now substantially complete. The investigation has identified that a limited set of data was downloaded by an unauthorised third-party during the incident.
The downloaded dataset originated from the Spruson & Ferguson (Australia) business and primarily contained:
- data relating to a small number of clients of Spruson & Ferguson Lawyers; and
- some historical financial and corporate information.
IPH has reviewed the downloaded dataset and has worked with Spruson & Ferguson Lawyers to directly contact affected clients.
To ensure IPH meets any privacy or data breach obligations arising from the incident, IPH has also undertaken a detailed review of the affected data to determine the presence of any personal information. Based on this analysis, IPH has determined to notify a small number of individuals whose personal information was in the dataset. IPH has also notified the Office of the Australian Information Commissioner of the incident. IPH has and will continue to meet all regulatory obligations in relation to the incident.
IPH expects to complete the investigation and response into the cyber incident within the next few weeks and will update the market if there are any material changes to the outcomes set out in this announcement.
You can read the full statement from IPH here, and for any queries, please contact your relationship Principal.