When a major architecture firm suffered a ransomware attack, it turned to its managed security service provider for answers. But months later, key questions remained: How did the attackers access the system? Were third-party vendors responsible?
FTI Consulting was engaged to provide an independent cybersecurity investigation and expert analysis. We not only uncovered the root cause of the attack but gave the client and its legal counsel the evidence needed to pursue legal recourse.
This case illustrates a critical truth: in legal disputes following a cybersecurity incident, the quality and depth of the investigation can determine whether an organisation is able to hold others accountable and recover losses.
Why Revisiting Investigations Can Be Crucial in Legal Disputes
Cybersecurity breaches are often investigated under pressure — time is short, stakeholders demand answers and the stakes are high. However, when those early investigations fall short, organisations can be left vulnerable not only to future attacks but also to litigation risks.
In this case, the company had already worked with an incident response provider, but six months after the breach, it still didn't know exactly how attackers had accessed its systems or whether any third-party service providers had contributed to the compromise. With data leaked on the dark web and reputational damage mounting, the firm's legal team recognised that any future litigation would require a more conclusive and defensible investigation.
FTI Consulting's Cybersecurity experts were brought in to revisit the incident from a forensic perspective — independent of earlier findings and with a clear mandate to identify the root cause and any third-party accountability.
Reconstructing the Breach: A Forensic Approach to Accountability
Our engagement began with a detailed review of all available artefacts gathered during the initial incident response effort. This included data from:
- Windows-based computers and servers
- Security monitoring and alerting tools
- Firewall and remote access appliances
- Cloud-based authentication systems
- Configuration history logs
We also reviewed the original forensic report and communications between the client and their vendors. Our goal wasn't to refute prior conclusions but to independently validate them — or identify gaps that could change the outcome of a legal dispute.
Almost immediately, we identified indicators that had been previously overlooked or dismissed, particularly related to how remote access was configured and monitored.
The Root Cause: Misconfiguration and Missed Oversight
Through comprehensive forensic analysis, we traced the initial access event to a specific misconfiguration in remote access systems maintained by the client's outsourced IT services provider. This vulnerability created an open pathway for the attackers to enter the network undetected. Once inside, the threat actors escalated their privileges, exfiltrated sensitive data tied to Australian projects and ultimately leaked that data on the dark web.
Our team determined that the breach was entirely preventable. The provider had failed to follow standard security practices in configuring remote access and failed to meet contractual service level agreements — and there were no safeguards in place to detect or remediate the issue in time. In short, the organisation's trust in its vendor created a blind spot that was exploited by threat actors.
Enabling Legal Recourse Through Independent Expertise
The second phase of our engagement focused on the client's broader security posture and vendor oversight leading up to the attack. We examined whether reasonable steps had been taken to protect the organisation's data and whether those steps could withstand legal scrutiny — especially in relation to third-party organisations whose data had been compromised.
We found that not only had the managed IT services provider failed to meet its contractual responsibilities, but the client had limited visibility into whether those responsibilities were ever being met. There were no effective audit mechanisms or performance reviews in place. As a result, a critical weakness went unnoticed until it was exploited.
These findings gave the client and their legal counsel the evidentiary foundation to pursue legal action against the third-party provider.
Lessons for Managing Legal Risk in the Aftermath of a Cyber Breach
This case holds valuable insights for any organisation managing complex digital environments and external vendors, particularly those preparing for — or already engaged in — dispute scenarios:
Independent Investigations Add Legal
Value
An impartial, technically robust investigation can mean the
difference between vague suspicions and clear legal liability.
Independent experts can uncover what others missed — and
present findings that stand up in court or regulatory
proceedings.
Vendor Oversight Must Be Active, Not
Passive
It's not enough to have service agreements in place.
Organisations must monitor performance, enforce security standards
and build accountability mechanisms. Legal risk increases when
outsourced functions operate with minimal oversight.
Forensic Readiness Enables Better
Outcomes
In this case, key digital evidence was preserved — even
months after the breach. That foresight enabled a successful
retrospective investigation. Organisations should invest in
readiness strategies to ensure they can respond effectively when
disputes arise.
Final Thought: In Disputes, Facts Matter — So Make Sure You Have Them
In today's threat landscape, cybersecurity incidents and data breaches are often inevitable — but unresolved investigations shouldn't be. Remediation is necessary, but not sufficient: legal resolution includes the need for attribution. Because when legal accountability, regulatory compliance or reputational recovery are at stake, it's essential to get to the truth.
Whether preparing for litigation or strengthening internal governance, engaging experts with proven experience in complex investigations and litigation support can turn uncertainty into evidence and position your organisation to act with confidence and clarity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
