Risk Update

Law Firm Cyber Risk — Exposed Client M&A Data Causes Concern, Law Firm Data Breach Brings Class Action

Posted Dan Bressler

Legal powerhouse Proskauer exposed clients’ confidential M&A data” —

  • “A security lapse saw Proskauer Rose, an international law firm headquartered in New York City, expose sensitive client data for more than six months, TechCrunch has learned.”
  • “A person with knowledge of the incident told TechCrunch that data from Proskauer’s merger and acquisitions business was left on an unsecured Microsoft Azure cloud server.”
  • “TechCrunch obtained a portion of the exposed dataset, which included approximately 184,000 files total, the person told us. These files were accessible from the web browser by anyone who knew where to look, and contained private and privileged financial and legal documents, contracts, non-disclosure agreements, financial deals and files relating to high-profile acquisitions.”
  • “Details of the exposed cloud server were captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage and files. The files are understood to have been left public for at least six months.”
  • “Proskauer resolved the spill about two weeks ago, but has not yet notified its clients, whose website lists Major League Baseball and Morgan Stanley as clients.”
  • “In an email to TechCrunch, Proskauer, which incorrectly referred to the data exposure as a “cyber attack” since there is no evidence of malice, would not say whether the law firm has any evidence of data exfiltration.”

Proskauer Rose Data Breach Stemmed From Common Oversight Mistakes, Not Cloud Technology” —

  • “In early April, international law firm Proskauer Rose came under fire for leaving sensitive client information exposed in unsecured cloud storage for nearly six months.”
  • “The law firm shortly thereafter released a statement saying that an unnamed third-party vendor, who was hired to create an information portal into Proskauer’s Microsoft Azure cloud, “had not properly secured it,” leading to the data breach.”
  • “Cybersecurity professionals who spoke to Legaltech News noted that third-party vendors often make such fatal mistakes. Still, they weren’t so keen on entirely letting law firms off the hook for responsibility in such situations, noting that they’re ultimately accountable for the security of their clients’ data and have a responsibility to oversee vendor work.”
  • “In Proksauer’s case, though the details of what exactly happened weren’t public, the firm did note that the middle-man, the vendor in charge of creating the information portal which was left misconfigured, was responsible. But having clearly defined roles in these situations is unusual, Sangster noted.”
  • “Therefore, while cloud storage is not infallible, it often isn’t the technology that leads to data breaches, but rather human beings who deal with the system that fail to take proper security measures. And ideally, all facets of the storage ecosystem should be communicating and working together to avoid, such a scenario.”
  • “‘Because ultimately, we see the same mistakes whether the place the law firm is storing the data is on premises or in the cloud,’ Sangster said. And in this case, the responsibility to investigate what happened, ‘falls on Proskauer, because they’re the ones who have a relationship with the clients.'”

Cadwalader Hit With Class Action Stemming From Data Breach” —

  • “Law firm Cadwalader, Wickersham & Taft is at fault for exposing personal data in a November 2022 breach, according to a proposed class action filed Wednesday in Manhattan.”
  • “The firm ‘failed to prevent the data breach because it did not adhere to commonly accepted security standards and failed to detect that its databases were subject to a security breach,’ the suit alleges.”
  • “Ohio-based attorney Patrick Perotti filed the lawsuit in the Southern District of New York, claiming more than 93,000 people had identifying information compromised and are at risk of credit fraud or identity theft.”
  • “The New York-founded firm fell victim to the cyberattack on Nov. 15 and 16 when an unauthorized third party gained remote access to the firm’s systems and acquired information from the Cadwalader’s network, the complaint said.”
  • “The data breach prompted the firm to wipe firm-issued laptop hard drives and forced many of its internal systems offline, according to media reports.”

November Cyberattack Hobbled Cadwalader for Weeks, Internal Emails Show” —

  • “Weeks later, the firm’s internal document management system remained offline, according to internal emails from managing partner Pat Quinn obtained by The American Lawyer. An attorney with knowledge of the situation provided evidence that some documents were unrecoverable for an extended period of time and potentially lost for good, contradicting a firm spokesperson’s statement that Cadwalader had made a full recovery by the end of the year.”
  • “The firm also declined to answer specific questions about the hack, including whether any client data had been accessed or encrypted by the hackers.”
  • “Third-party cybersecurity experts said Cadwalader’s response appeared to be mostly in-line with industry best practices in the wake of a breach, although those practices include calculated risks that are unavoidable for law firms.”
  • “Two weeks after the initial attack, the firm restored Citrix and most iManage functions in the U.S., although U.S. employees were only able to access their documents through the Citrix remote desktop. However, the attorney who spoke with The American Lawyer said the roundabout access method hamstrung lawyers’ ability to circulate documents, causing consternation among attorneys and clients. (A Cadwalader spokesperson disputed the attorney’s account.)”
  • “The attorney also said they felt the firm wasn’t completely forthcoming with clients about the security of their documents. In a conference call and in subsequent emails, the firm asked attorneys to access client documents on their personal computers if they had Microsoft Word installed as the firm worked to reinstall the Microsoft Office suite on its computers.”
  • “Cadwalader declined to say what the perpetrators of its cyberattack were after, but Pollock said hackers’ motives are almost always financial. ‘It’s always extortion,’ Pollock said. ‘Obtaining data to extort someone, to delete the data or sell it on the dark web.'”
    “Not all law firm data breaches get reported. Data breach reporting laws vary by state but tend to focus on personal information rather than business information, and states such as New York don’t maintain public databases of required data breach reports.”

American Bar Association data breach hits 1.4 million members” —

  • “The American Bar Association (ABA) has suffered a data breach after hackers compromised its network and gained access to older credentials for 1,466,000 members.”
  • “Thursday night, the ABA began notifying members that a hacker was detected on its network on March 17th, 2023, and may have gained access to members’ login credentials for a legacy member system decommissioned in 2018.”
  • “‘On March 17, 2023, the ABA observed unusual activity on its network. The incident response plan was immediately activated response, and cybersecurity experts were retained to assist with the investigation,’ warns a notification email sent to impacted members and seen by BleepingComputer.”
  • “BleepingComputer was told by the ABA that 1,466,000 members were affected by this breach.”
  • “While BleepingComputer has learned that this was not a ransomware attack and that no corporate or personal data was stolen, there are some concerns that the threat actors could abuse the credentials. The American Bar Association says these legacy credentials were hashed and salted, meaning they were converted from plaintext into a more secure format.”