‘Jaw-dropping’: Slater + Gordon in an email scandal for the ages
It was 9.48am when a perfectly aimed missile dropped into the inboxes of most Slater + Gordon employees. Then all hell broke loose.
Most of Slater + Gordon’s more than 900 lawyers and office staff were already at work and behind their computers at 9.48 last Friday morning when a perfectly aimed missile dropped into their inboxes and exploded.
The email was innocuously headed “CPO Handover”, purportedly a note from outgoing interim chief people officer Mari Ruiz-Matthyssen to her successor at the firm, but containing brutal character assessments of many of Slater + Gordon’s most senior lawyers and staff.
And there, in an attached spreadsheet, were the salaries and performance ratings of every member of staff.
Ruiz-Matthyssen has vehemently denied any involvement and Slater + Gordon says it doesn’t believe she wrote the email.
But regardless of who sent the email, Slaters had just become the target of the biggest – and most audacious – hit job ever to strike a major Australian law firm, a devastating attack that is still reverberating through the legal world more than a week later.
The firm that made its name fighting compensation and personal injury cases has been opened up to a raft of claims from current and former employees.
The firm that proclaimed its expertise in running data privacy breach cases – including current actions against Optus and Medibank – had just become a victim of one.
And damningly, though perhaps unfairly, the Labor-leaning firm that positioned itself as the friend of the worker was revealed to be paying its chief executive $690,000 while a Melbourne legal assistant earned $22,916.
Within minutes of the email pinging Slater + Gordon inboxes, gobsmacked staff were poring over the salacious claims – and discovered how much their colleagues were earning.
“Jaw-dropping” was the expression many would later use to describe the email – and the impact of its arrival.
“Oh my God. This is wild,” one staff member recalls.
Was it a hoax? Had it been sent by accident, or deliberately, to destroy Ruiz-Matthyssen – or blow up the whole firm?
One thing was very clear: the author had an intimate knowledge of people at all levels of the firm – which was described as “a textbook case of dysfunction” – expressed in a string of poison-pen portraits.
The author was particularly scathing of CEO Dina Tutungi, whose primary focus was said to be “her own bottom line”. But it was a line about Tutungi’s dinner parties that struck many with its apparent insider access.
“If you’re lucky, you’ll get an invite to an ELT dinner at Dina’s mansion – complete with its own website, private chef, and an air of desperate excess,” the email said. “Last time, it was a tedious affair that fizzled by 8.30pm. No one could leave fast enough. But hey, maybe you’ll enjoy it.”
So astonished were some employees that they immediately forwarded it to friends and colleagues inside and outside the firm – a mistake many fear will come back to haunt them.
Tutungi herself is said to have admitted forwarding the email to a couple of board members, telling a staff meeting she was “kicking herself” because it could have been a cyber attack containing malicious software.
A closer look at the origins of the email, clearly sent from a private gmail address, would have rung alarm bells.
But for the moment, on that Friday morning, chaos reigned at Slater + Gordon.
“Just, like, panic,” says one staffer. “Dina got her executives to get on to speak with their groups, and the executives that had just been named in it. What sort of a request is that?”
Within half an hour, the firm’s IT department scrambled to wipe the email from the system.
By 11am all emails had been deleted – too late to stop it being forwarded 275 times within the company and 25 times to outside parties.
The firm began briefing staff in the same terms it would later use to the media – that what was presented as internal information in the email was “incorrect and in many ways a work of fiction”.
But some of the scandalous detail revealed in the poison-pen portraits was well-known to insiders. And the salaries listed, while dating back to November, were still current for most employees.
What also alarmed many staff was that the email reflected commonly held concerns about the future of the firm following its takeover in 2023 by equity fund Allegro.
“Morale is abysmal, money is haemorrhaging,” the email’s author declared in the “handover”.
“Allegro, true to private equity form, is gutting the place,” the email said. “Heads are rolling, and what remains is a skeletal crew barely keeping things together. The endgame? A polished-up shell to be sold off at the right price. Grim, but predictable.”
The firm was said to be “squeezing every cent out of the lowest-paid workers”, branding it “Big 4 tactics in what is meant to be a labour law firm”.
Even Key Community, the consultancy handling the transformation and values, has warned that the business is drifting too far from its roots, the email claimed.
It wouldn’t be until just after 4.30pm that day that PR crisis consultant and former Labor spinner Adam Sims responded to questions from The Australian, issuing a statement that Ruiz-Matthyssen was not the author or the sender of the email, that it was not her email address attributed, and she intended to report the matter to police.
Almost at the same time, Tutungi was addressing staff in an audio link-up, confirming Ruiz-Matthyssen had not sent the email and describing the episode as an “absolutely awful thing to have happened”.
Tutungi said the leaders and culture of the firm were the real target.
She claimed the data in the salary spreadsheet was wildly inaccurate, including her own reported salary of $690,00.
The email was sent from a gmail account in Ruiz-Matthyssen’s name, but also contained links to her Slater + Gordon email address. Investigators are working to determine if those links were fraudulently added to make it appear Ruiz-Matthyssen had sent information between the two accounts.
Ruiz-Matthyssen herself stayed silent until Monday when she issued a statement through lawyers categorically denying she had sent the email, and noting that “a cursory examination of the email and its attachment gave a clear indication as to the likely identity of the sender”.
The name of a former Slater + Gordon employee, sacked last year by Ruiz-Matthyssen, appears in the metadata of the salary spreadsheet.
But that person has emphatically denied sending the email, telling The Australian: “There’s no way I would have sent an attachment that had my name as the author.”
The ex-staffer said it was “distressing” that people believed she was the author of the email.
“Maybe someone has created a profile on their own laptop and used my name to create that report, or if someone had manipulated the metadata, or someone is using my old profile … to do it,” said the former employee, whom The Australian has chosen not to name.
“There’s no way I would have put my name in there, I’m very proficient in Excel, I wouldn’t have done that.”
The former employee claims her departure from the company was a mutual decision and is governed by a nondisclosure agreement. She said she had “two very brief” meetings with Ruiz-Matthyssen during her time at Slater + Gordon, including one involving her leaving the firm.
“Whoever it is who has written (the email) has a lot of inside knowledge but is also aware of the terrible culture,” the former staff member said. “The fact someone has used our names (means) they obviously want to point a finger at us as well.”
She said neither Slater + Gordon nor the police had been in contact with her since the email was sent.
Police from Victoria’s Cybercrime Squad have been investigating the case alongside the firm’s own IT forensic team, but say they are yet to find the culprit.
As late as Monday evening, some three days after the scandal erupted, Slaters was still telling The Australian a “hostile external actor” was still a plausible scenario, along “with one or more former employees or a group of current and former employees”.
No one believed it was a Russian mafia outfit or a Chinese cyber attack. It was a nonsense suggestion that angered many staff who already thought the company was not being transparent with them.
A pay parity process is now under way to deal with many employees discovering that colleagues have been paid better than them.
All of those named in the email have been offered “specialised support”, though it is understood many have not taken up the offer.
Staff say the firm is still struggling to get back on its feet.
A source within Slater + Gordon said senior management was attempting to “plough on” despite the consuming scandal, with Tutungi expected to front “values” workshops across the firm’s NSW offices next week.
“There was a lot of surprise that Dina is going to go around the offices in person. Is she kidding? Going around plodding along on some values workshop? How about the fact the whole company is supposedly being run into the ground by Allegro and all this stuff has been outed, and you’re going on about values? It’s a bit disingenuous, isn’t it?
“The company keep putting out quotes that the staff are the priority. But the staff don’t think they are a priority. There are many that feel that way.
“People are getting the information from the media, that’s how bad it’s been managed.”
The company says no client data has been breached but staff are concerned about the impact on the firm’s reputation as a cybersecurity expert, asking how it can run a data privacy case against Medibank or Optus “when we can’t even keep our own data private”.
The Slater + Gordon promotions process is usually under way now, but The Australian understands there has been no communication on that.
Usually at this time of year employees start preparing for end-of-year reviews and managers should be having conversations with their people before that, but there haven’t been any communications.
Slaters has asked the employees who forwarded the email to provide an explanation for why they did so, in a presumed attempt to track how the media became aware of it so soon after it was sent.
“Surely their focus should be on the actual investigation, not on the people in the firm who forwarded it on,” the source said.
“They’re saying the investigation is ongoing, but they need to provide an update. There’s more in the media than there has been from the firm.
“It’s hugely embarrassing for the people named in the email, but they are doing what they are told, continuing on as if it’s business as usual. The Slaters leadership group is meeting every other day – it was every day, now it’s every other day.”
In the meantime, Ruiz-Matthyssen is privately seething over what she feels was a failure by the firm to quickly and decisively state she was not involved, which allowed the crisis to escalate despite clear early indications the email had been manipulated.
Ruiz-Matthyssen believes Slater + Gordon made her “the sacrificial lamb” and is set to sue her former employer.
Legal sources said she may have a strong case, given the firm’s apparent failure to guard both its payroll information and its email system, allowing an outside email account to blind-copy hundreds of staff with sensitive information.
One legal source told The Australian: “They allowed this to get out of hand. Basic due diligence wasn’t done before they threw someone under the bus. Her reputation had been all but destroyed by the end of Friday morning.”
The vaunted law firm faces a long battle ahead to ensure its own reputation doesn’t meet the same fate, a path that will only get harder until it can answer the question: Who sent the email?
More Coverage
Helping with police probe? DPP won’t say
Sally Dowling SC has refused to confirm whether she is cooperating with a police investigation into an extraordinary leak of legally restricted material from within her office.
Bar Council drops DPP complaints
The NSW Bar Council has dropped two complaints that accused chief prosecutor Sally Dowling SC of attempting to influence the judiciary, claiming it does not have the jurisdiction to determine whether her actions amount to unsatisfactory professional conduct.