Names, home addresses, dates of birth, Centrelink IDs and other personal details were stolen in the electronic raid on HWL Ebsworth Lawyers, whose clients included 65 government agencies, big banks and multiple ASX-listed companies, including The Star Entertainment Group.

The Office of the Information Commissioner is investigating the April 2023 attack, which saw data released on the dark web for around three weeks.

Information from guests and employees at The Star’s Gold Coast, Sydney and Brisbane casinos was stolen in the digital heist.

Guests of the Star’s casinos are furious and afraid after receiving letters from the law firm saying their identities had been compromised – almost a year after the event.

One Star guest, a Gold Coast woman in her 80s, was distraught to learn she’d had her details stolen.

“Goodness knows what else they have on us – what can transpire from here?” she said.

“I was devastated when I got the letter because I thought ‘what on Earth is going to happen now?’.

“I don’t know what to do – do I have to change my name? I don’t know how to get out of this situation. It’s very scary.”

The hack was attributed to Russian group ALPHV, also known as BlackCat, and included sensitive information from companies and government departments.

HWL Ebsworth refused to pay a $7.1m ransom, and subsequently obtained a court injunction preventing the publication of details from the stolen information.

The Star guest said she’d trusted the company with her personal details, including very detailed information about her income and other financials in more recent requests by the casino late last year – after the hack.

“I did everything in good faith – it’s not a good feeling,” she said.

“I’m checking my accounts all the time, I don’t know if someone’s got our emails, our photos, our Facebook – what else can they do with this (information)?”

In a letter from HWLE, seen by the Gold Coast Bulletin, another elderly Star guest was told her full name, address, date of birth, driver's licence number and “other identity credentials” had been stolen.

When Gold Coast retiree Ian Timmins received a letter from the law firm saying his full name, address, and driver's licence number had been compromised, it was the first he’d heard of the hack.

Mr Timmins said the HWLE’s offer to pay for a new driver's licence and a subscription to a credit reporting company was “nonsense”.

“10 and a half months have gone by – it’s just appalling,” he said.

“I’m a Star shareholder, the company is struggling so I’d rather not be (speaking out), but they’ve gone 10 and a half months without saying anything and I’m angry.

“It’s absolutely unconscionable.”

A spokeswoman for The Star did not answer questions about when the company found out about the hack, why the law firm had personal guest information, or why it had not issued any ASX announcements about it.

The spokeswoman directed the Bulletin to a statement on its website, where The Star said its own systems had not been compromised.

A spokesman for HWL Ebsworth said the privacy and security of client and employee data “was of the utmost importance” to the firm.

“HWL Ebsworth completed a detailed analysis of all data that was accessed by the criminals; the data set was large and unstructured, so this was a detailed and complex challenge,” he said.

“The firm’s priority has been to ensure that it properly reviewed the data and inform those impacted as swiftly as it could.

“The analysis process took time but has now come to an end.

“HWL Ebsworth has continued to work with impacted organisations in notifying all affected individuals, and that process is almost complete.”

For Mr Timmins and the other victims, the process has only just begun.

“(Star) refused to say why the data was even made available to the lawyers, and didn’t even mention the hack at the AGM in November,” he said.

The revelation comes as Star continues to struggle in the wake of nine-figure fines and findings it was unfit to hold casino licences in Queensland and NSW after it flouted its responsibilities on gambling harm and money laundering.

The group, which sacked 500 staff off the back of diving results last year, has been granted extensions until May and June this year to demonstrate it is suitable to retain its licences in the two states.

kathleen.skene@news.com.au

More Coverage

Building giant Multiplex in racehorse receivership stoush

Kathleen Skene

‘Exorbitantly’ overcharging lawyer can’t pay his debts

Kathleen Skene

Originally published as Guests of the Star Entertainment Group have personal details stolen in HWL Ebsworth Russian hack