Slater + Gordon refer poison-pen email suspect to police
The legal giant on Tuesday referred a former employee to Victoria Police who they believe was behind a ‘premeditated and carefully planned’ email attack on the firm.
A former Slater + Gordon worker who is suspected of sending a “malicious” email attacking senior executives and revealing the salary information of 900 employees had an intimate knowledge of the company’s cybersecurity systems and took a series of deliberate steps to fly under the radar, the firm believes.
Slaters on Tuesday revealed it had referred the former employee to Victoria Police for further investigation having concluded a forensic probe into the “premeditated and carefully planned attack” on the embattled law firm.
The alleged culprit intentionally sent the email in 10 different batches to circumvent normal email protocols, the firm said in a statement, and omitted IT staff and some senior employees from the recipients list.
“This matter continues to be taken extremely seriously by Slater and Gordon, and we have referred the outcomes of the forensic investigation to Victoria Police,” Slaters chief executive Dina Tutungi said on Tuesday. “We will continue to assist the police with their work.”
Slater + Gordon did not reveal the identity of the person they believe to be behind the email, which made scathing criticisms of senior employees and included a spreadsheet revealing the salaries and performance ratings of every worker.
A former employee whose name appears in the metadata of a payroll spreadsheet sent in the email has previously denied sending the email and claimed someone may have impersonated her.
“Maybe someone has created a profile on their own laptop and used my name to create that report, or if someone had manipulated the metadata, or someone is using my old profile … to do it,” said the former employee, who The Australian has not named for legal reasons.
If convicted, the culprit behind the attack could face years in prison. In Victoria, where Slater + Gordon is headquartered, it is a criminal offence under the Crimes Act to access or modify restricted data on a computer without authorisation or consent.
In the statement, the firm said it had “reasonable grounds” to suspect the former employee “who was aware of the firm’s security protocols and had previously been authorised to access certain data”.
The firm also revealed that more than 10 emails were sent in batches in an apparent bid to circumvent normal email protocols and that the IT team and some senior executives appeared to have been deliberately excluded from the recipients list.
The data attached to the email appeared to have been taken from at least three different internal source documents, which were combined and altered, the firm said. Those source documents had restricted access within the firm.
The firm reiterated that it believed former Chief People Officer, Mari Ruiz-Matthyssen, in whose name the email was purportedly sent, was not responsible for the email.
Ms Ruiz-Matthyssen is expected to take legal action against the top-tier law firm, claiming it allowed the crisis to escalate despite clear early indications the email had been manipulated.
Sources say Ms Ruiz-Matthyssen was responsible for dismissing the former employee whose name appears in the spreadsheet metadata in November.
The employee said she had “two very brief” meetings with Ms Ruiz-Matthyssen during her time at Slater + Gordon, including one involving her leaving the firm.
The author of the email appeared to have inside information about private dinners at the home of chief executive Dina Tutungi, illnesses suffered by staff, rivalries between named individuals, investigations into cases of inappropriate conduct, planned redundancies and even gossip about which board member “they will ditch this year”. Many Slaters employees were highly distressed by the email, which included observations of senior figures at the firm as “ruthlessly ambitious”, “lazy and unmotivated” and “senile and needs to retire”.
The firm was forced to set up a formal process to deal with angry staff who have been able to compare their pay and performance ratings with those of their colleagues, with salaries ranging from Ms Tutungi’s purported $690,000 to a Melbourne legal assistant on $22,916.
One former Slaters employee told The Australian: “There’s several people on the same level, but earning considerably less than colleagues, so the leaking of salary information is going to have serious consequences come pay negotiation and bonus time.
The episode has dealt a blow to Slater + Gordon’s reputation for cyber security expertise but it says no client data has been compromised in the email scandal.
“Slater and Gordon has an existing and ongoing program to review and strengthen security controls and that work continues,” the firm said.
In Tuesday’s statement Ms Tutungi said: “This matter continues to be taken extremely seriously by Slater and Gordon, and we have referred the outcomes of the forensic investigation to Victoria Police. We will continue to assist the police with their work.”
“While this malicious incident was unwelcome, our priority remains our people and the critical work we do every day to provide access to justice for our clients.”
Two women charged after ‘bomb hoax’ linked to airshow
Victoria Police charged two women after a ‘suspicious package’ was left at a Geelong office linked to the Avalon Airshow, prompting a response from the bomb squad.
Did DPP know of leak? Staff won’t say
The office of NSW chief prosecutor Sally Dowling has refused to disclose whether she was aware confidential information was to be leaked to a radio station.