In a statement, Slater Gordon said it has “reasonable grounds” to suspect the email may have been sent by a former employee who was “aware of the company’s security protocols” and previously had authorised access to “certain data.”

The “malicious” email – BCC’ed on 21 February to all Slater Gordon staff revealed the salaries, bonuses and performance ratings of its 906 employees.

The company’s IT team and certain senior executives appear to be “deliberately excluded” from the recipients list, the firm said in the statement.

The email included blistering criticism of top executives, information about private dinners held by chief executive Dina Tutungi, and claimed private equity firm Allegro Funds planned to “gut the place.”

Allegro Funds acquired the law firm in 2023 after a deal worth about $150 million.

The email was sent using the name of former people officer Mari Ruiz Matthyssen, who

Slater + Gordon and Ms Tutungi, along with Ms Matthyssen, have confirmed the email was not sent by Ms Matthyssen.

“The data attached to the email appears to have been taken from at least three different internal source documents, which were combined and altered. Those source documents have restricted access within the firm.

“There is no evidence to suggest that any current employee, contractor, or external threat actor was involved,” the statement read.

No client information was compromised in the incident.

“The email was a premeditated and carefully planned attack which Slater and Gordon condemns in the strongest possible terms.”

Ms Matthyssen said she was being “vilified” in a statement through her lawyers in February.

“I did not send the email. A cursory examination of the email and its attachment gave a clear indication as to the likely identity of the sender. I have engaged lawyers and I am in the process of taking legal action,” it read.

Slater + Gordon remains in contact with Victoria Police as they investigate the incident.

The person behind the attacks could face jail time given it is a criminal offence to access or modify restricted data on a computer without authorisation or consent in Victoria.

“While this malicious incident was unwelcome, our priority remains our people and the critical work we do every day to provide access to justice for our clients,” Ms Tutungi said in a statement.