Risk Update

Law Firm Hacked & Data Leaked — Big Risk, Big Ransom, Big News

Posted Dan Bressler

Celeb Law Firm Refuses Hacker Ransom as Lady Gaga Files Leak” —

  • “Days after the celebrity law firm that represents Madonna, Bruce Springsteen, and Nicki Minaj admitted it was “victimized by a cyberattack,” the hackers that executed the breach released their first batch of stolen data Thursday: files that focused on the law firm’s work with Lady Gaga.”
  • “The unnamed hacker group, using ransomware dubbed “REvil,” launched the cyberattack against the internal data systems of Grubman Shire Meiselas & Sacks; on Wednesday, they asked the law firm for $21 million in exchange for the 756 gigabytes of stolen data. However, after the firm allegedly hired cyber-extortion specialists to combat the ransomware demands, the hackers released a 2.4 gigabyte batch of files Thursday.”
  • “The ‘first part’ was a 2.4-gigabyte folder including legal work the law firm did for Lady Gaga: contracts sent to producers, collaborators, and members of her touring ensemble; promotional agreements; expense sheets; confidentiality agreement forms; performer agreements; reimbursement forms for the artist Jeff Koons; a handful of promotional photos; and reams of tedious paperwork one would expect to find in the database of an entertainment law firm. (A representative for Lady Gaga declined to comment.)”
  • “‘Our elections, our government, and our personal information are under escalating attacks by foreign cybercriminals. Law firms are not immune from this malicious activity,’ a spokesperson for Grubman Shire Meiselas & Sacks told Rolling Stone in a statement. ‘Despite our substantial investment in state-of-the-art technology security, foreign cyberterrorists have hacked into our network and are demanding $42 million as ransom. We are working directly with federal law enforcement and continue to work around the clock with the world’s leading experts to address this situation.'”
  • “‘This is a lose-lose situation for both the firm and its clients,’ Callow tells Rolling Stone. ‘If the firm does not pay the criminals, it’s likely that more data will be published. If the firm does pay, it will simply receive a pinky promise from a bad-faith actor that the stolen data will be destroyed. But why would a criminal enterprise ever delete data that it may be able to further monetize, and especially if that data may have a high market value?’ For example, there is nothing preventing the hackers from reaching a settlement with the law firm, only to then turn around and shake down their celebrity clients with the stolen data.”