Slater + Gordon culprit could face years in jail

The mystery culprit who sent a ‘malicious’ email to all staff at legal giant Slater + Gordon – including details of the salary and performance ratings of every employee – could be facing years in prison if caught.

Ellie Dudley and Stephen Rice

3 min read

11 hours ago.

Updated 2 hours ago

A Slater + Gordon billboard outside its offices in Melbourne. Picture: AAP

The mystery culprit who sent a “malicious” email to all staff at legal giant Slater + Gordon – including details of the salary and performance ratings of every employee – could be facing years in prison if caught.

The Victoria Police cybercrimes squad has been investigating the massive data breach alongside the law firm’s own forensic specialists, but has so far been unable to track down the mastermind of the attack.

Police will not comment on their investigation into the “report of unauthorised access” but have a number of potential charges up their sleeve if they can identify the individual who penned the savage critiques of Slater + Gordon’s top lawyers and compiled the spreadsheet that revealed the pay packets of all 906 employees.

In Victoria, where Slater + Gordon is headquartered, it is a criminal offence under the Crimes Act to access or modify restricted data on a computer without authorisation or consent. Common examples are accessing someone’s banking or medical records, but extracting someone’s email address from a computer system without authorisation can also be an offence.

In the Slater + Gordon case, the perpetrator was able to access the entire staff email list and blind-copy every employee, purporting to be outgoing interim chief people officer Mari Ruiz-Matthyssen.

Ms Ruiz-Matthyssen has vehemently denied any involvement and Slater + Gordon says it doesn’t believe she wrote the email. Ms Ruiz-Matthyssen says “a cursory examination of the email and its attachment gave a clear indication as to the likely identity of the sender”. The metadata in the attached spreadsheet appears to identify a former member of staff as the creator of the document but that person has also vehemently denied being the author of the email, and claims someone may have impersonated her.

“Maybe someone has created a profile on their own laptop and used my name to create that report, or if someone had manipulated the metadata,” the former employee told The Australian.

Accessing confidential payroll and performance data without authorisation would almost certainly be a crime under Victorian law, and manipulating the data – as the creator of the Slater + Gordon salary spreadsheet appears to have done – would likely also be captured by the provision.

The maximum penalty is two years’ imprisonment.

Slater + Gordon believes the email was most likely sent by a former or current employee or group of employees.

Victorian criminal silk Gavin Silbert KC said police must prove the alleged perpetrator did not have authorised access to the payroll documents. “An employed solicitor, for example, wouldn’t have had authorised access,” he said.

“If the person had authorised access, they’re not guilty of an offence. If it’s someone who had authorised access then left the position, that access could have been authorised at the time they accessed it.”

It is also illegal under Victorian law to produce, supply or obtain data with the intention of committing a serious computer offence, punishable by for up to three years in prison.

Gavin Silbert KC. Picture: supplied

Commonwealth laws could also be used to prosecute the author of the email. Using a “carriage service” to menace, harass or cause offence under the Commonwealth Criminal Code Act carries a maximum penalty of five years’ jail.

A similar charge was upheld in the case of Man Haron Monis, who was charged with sending offensive letters to the families of Australian soldiers who died in Afghanistan. The High Court in 2013 dismissed the appeal by Monis – shot dead the following year after taking hostages in the Lindt Cafe siege – finding the law protects the community from such communications.

Under the same act, a person who accesses or modifies restricted data without authorisation can land themselves in jail for two years, while doing the same thing with the intention of committing a serious offence that carries a penalty of five years.