As previously announced, on 13 March 2023 IPH Limited (IPH) detected that a portion of its IT environment had been subject to unauthorised access. This access was primarily limited to the document management systems of the IPH head office and two IPH member firms in Australia, Spruson & Ferguson (Australia) and Griffith Hack, and the practice management systems of these two IPH member firms.
Upon becoming aware of the incident, IPH immediately isolated these systems, removed them from its network, and implemented its Business Continuity Plan to resolve the cyber incident.
As announced on 24 March 2023, IPH subsequently established new network infrastructure following a methodical restoration process. Key system functionality has now been restored. Supported by leading external cyber security experts, IPH has also applied enhanced cyber security measures, including additional preventative and detective controls to protect the IPH network. All other IPH member firms continued to operate as normal.
Forensic update
Our forensic investigation is now substantially complete. The investigation has identified that a limited set of data was downloaded by an unauthorised third-party during the incident.
The downloaded dataset originated from the Spruson & Ferguson (Australia) business and primarily contained:
• data relating to a small number of clients of Spruson & Ferguson Lawyers; and
• some historical financial and corporate information.
Based on the investigation to date, we have no evidence to suggest that data located on any other component of IPH’s IT network (including the IPH document management system and the document management and practice management systems of Griffith Hack) was downloaded by the unauthorised third-party during the course of the incident.
IPH has reviewed the downloaded dataset and has worked with Spruson & Ferguson Lawyers to directly
contact affected clients.
To ensure IPH meets any privacy or data breach obligations arising from the incident, we have also undertaken a detailed review of the affected data to determine the presence of any personal information. Based on this analysis, IPH has determined to notify a small number of individuals whose personal information was in the dataset. IPH has also notified the Office of the Australian Information Commissioner of the incident. IPH has and will continue to meet all regulatory obligations in relation to the incident.
For further information please read the full ASX announcement.