Risk Update

Law Firm Cyber Risk — Hacking and Ransomware Incidents Hit Firms

Posted Dan Bressler

Fresh detail on this one: “Law firm that handles data breaches was hit by data breach” —

  • “An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims.”
  • “San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023.”
  • “Orrick works with companies that are hit by security incidents, including data breaches, to handle regulatory requirements, such as obtaining victims’ information in order to notify state authorities and the individuals affected.”
  • “In a series of data breach notification letters sent to affected individuals, Orrick said the hackers stole reams of data from its systems that pertain to security incidents at other companies, during which Orrick served as legal counsel.”
  • “Orrick said the stolen data includes consumer names, dates of birth, postal address and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver license numbers, and tax identification numbers. The data also includes medical treatment and diagnosis information, insurance claims information — such as the date and costs of services — and healthcare insurance numbers and provider details.”
  • “Orrick said that the breach includes online account credentials and credit or debit card numbers.”
  • “The number of individuals known to be affected by this data breach has risen by threefold since Orrick first disclosed the incident. Orrick said in its most recent data breach notice that it “does not anticipate providing notifications on behalf of additional businesses,” but did not say how it came to this conclusion.”
  • “It’s not clear how the hackers initially broke into Orrick’s network, or whether the hackers demanded a financial ransom from the law firm.”
  • “In December, Orrick told a San Francisco federal court that it had reached an agreement in principle to resolve four class action lawsuits, which accused Orrick of failing to inform victims of the breach until months after the incident.”

CMS’ Spanish Arm Becomes Latest Victim of LockBit Cyber Attack” —

  • “CMS has become the latest law firm to fall victim to a cyber attack, with its Spanish arm suffering a data breach of its storage servers.”
  • “According to a post on social media platform X, behind the attack is ransomware group LockBit, which made headlines last month when it breached Allen & Overy’s servers, holding to ransom potentially highly sensitive client and firm data.”
  • “CMS confirmed in a statement that ‘other member firms of the CMS organisation’ are not affected by the incident. In addition, its Spanish office has engaged external forensic specialists, who are collaborating with its cyber security response team, to ‘isolate and control the incident.'”
  • “Commenting on the attack, the firm said: ‘We are still doing thorough cyber forensic work to examine and resolve the incident. Our focus is to determine what data has been affected. The firm’s priority is its clients and therefore we will maintain our security protocols and have implemented additional procedures.'”
  • “A&O appeared on LockBit’s list of targets on its website on November 9, with the hackers demanding a ransom and threatening to publish its confidential data. However, the firm was removed from the victim list one day before the November 28 ransom deadline. It is as yet unclear whether A&O paid a ransom following what experts said would have been prolonged negotiations.”