The personal data of certain Star Entertainment customers and employees was compromised as part of a major law firm breach in April 2023. [Image: Shutterstock.com]

A big leak

Star Entertainment can’t seem to stop stepping on rakes. After having its casino licenses suspended in New South Wales (NSW) and Queensland, having to pay over AU$200m (US$130m) in fines, and its CEO resigning on Friday, the company is now dealing with the fallout of a significant data breach.

Hackers accessed millions of legal documents in April 2023 from the biggest law firm in Australia, HWL Ebsworth (HWLE). Star is one of its clients and the casino company only recently notified patrons and employees that their personal data was potentially part of the leak.

sought a ransom of AU$7m (US$4.6m)

The hacker group known as ALPHV or BlackCat claimed responsibility for the attack and sought a ransom of about AU$7m (US$4.6m). HWLE refused to pay, so the group released the data on the dark web over a three-week period, including home addresses, passport information, and banking details.

HWLE eventually got an injunction from the NSW Supreme Court to make it illegal for people to access the data, which dampened the media’s efforts to report on the causes and extent of the hack.

The fallout

Talking to Daily Mail Australia, a Star Entertainment customer spoke about learning that his birth certificate, tax number, driving license, and passport were all possibly part of the leak. The casino company told him that the commercial law firm would reimburse the cost of having to replace his passport and/or driving license. He believes that this doesn’t go far enough and hopes that a class-action lawsuit against Star Entertainment is on the way.

The hackers accessed the data of about 50 Australian Shares Exchange-listed companies and up to 45 government departments..

Star Entertainment explained in an email statement to customers that the delay in informing people was due to the “very large volume of data was extracted” which meant that it had to manually figure out if the personal data of customers and employees was compromised.

A prolific hacking group

ALPHV is a prolific ransomware group that was also behind the attack on MGM Resorts last summer. The direct impact lasted a couple of weeks and resulted in the company’s systems going offline, causing massive disruption at its Las Vegas properties, in particular.

FBI estimated that ALPHV had made over US$300m from its efforts

MGM refused to pay any ransom money despite reportedly losing about US$100m in entire ordeal. The same hackers reportedly carried out a similar attack on Caesars Entertainment, which led to a US$15m ransom payment. The FBI estimated that ALPHV made over US$300m from its efforts as of September 2023.