iscover
National law firm Slater & Gordon has referred outcomes from its forensic investigation into the recent “premeditated and carefully planned” mass email, sent to more than 900 staff, to Victoria Police, with the firm noting it has “reasonable grounds” to suspect a former employee sent the extraordinary correspondence.
Slater & Gordon has today (Tuesday, 25 March) referred the outcomes of its forensic investigation into the “recent malicious email” incident to Victoria Police.
As reported in recent weeks, an explosive email – sent in batches to over 900 recipients between 9:41am and 9:57am on Friday, 21 February, the firm said – contained, among other things, a spreadsheet revealing the supposed salaries of hundreds of staff members.
Following this, the national plaintiff firm referred the email to Victoria Police and undertook a “thorough” forensic investigation.
The email purported to be sent by the firm’s interim chief people officer, Mari Ruiz-Matthyssen. From the outset, Slater & Gordon said it believed that Ruiz-Matthyssen was not the sender. In today’s statement, it reiterated its belief that she was not responsible.
Ruiz-Matthyssen issued a statement in late February, noting that she had been wrongfully accused and publicly vilified and that she is taking legal action.
“A cursory examination of the email and its attachment gave a clear indication as to the likely identity of the sender,” she said at the time.
HR Leader does not suggest that the contents of the email are accurate, nor does it suggest that Ruiz-Matthyssen was involved in any way in its distribution.
With its forensic investigation now complete, Slater & Gordon said that it has “reasonable grounds to suspect that the email may have been sent by a former employee who was aware of the firm’s security protocols and had previously been authorised to access certain data”.
The firm further said that over 10 emails were sent, which appear to have been designed to circumvent email protocols; its IT team and certain senior executives appear to have been deliberately excluded from the recipients list; and the email’s data was apparently taken from at least three different restricted internal source documents, which were combined and altered.
No client information was compromised, the firm said, in what was a “premeditated and carefully planned attack” and that it “condemns in the strongest possible terms”.
There is also no evidence to suggest, Slater & Gordon added, that any current employee, contractor, or external threat actor was involved.
Following this incident, the firm said it took the following actions: removing the email from all inboxes within 90 minutes and locking down the staff email archive system to prevent further dissemination of the email; providing a confidential contact number for staff to confirm whether they were included in the email and, if so, what information was disclosed; proactively contacting impacted staff; offering the firm’s EAP to all staff, and notifying the Office of the Australian Information Commissioner.
Moreover, it has an existing and ongoing program to review and strengthen security controls and that work continues.
The firm’s chief executive, Dina Tutungi, said: “This matter continues to be taken extremely seriously by Slater and Gordon, and we have referred the outcomes of the forensic investigation to Victoria Police.”
“We will continue to assist the police with their work.
“While this malicious incident was unwelcome, our priority remains our people and the critical work we do every day to provide access to justice for our clients.”
The firm noted that it will not make further public comment on the matter while it is under police investigation.
