Ride the Lightning

Law Firm Goodwin Procter Hit by Data Breach

February 4, 2021

Bloomberg Law reported on February 2 that Goodwin Procter suffered a data breach after a vendor used for large file transfers recently reported it was hacked, according to an internal memo Bloomberg Law obtained.

The memorandum, circulated by Goodwin managing partner Mark Bettencourt on February 2, said Goodwin was informed of the security issue on January 22, and immediately stopped using the service.

The firm also retained a third-party forensic expert and began an investigation.

Goodwin confirmed the veracity of Bettencourt's memo, but declined further comment.

Goodwin's breach investigation showed that a "small percentage" of the firm's clients "may have experienced unauthorized access to or acquisition of confidential material" on January 20, Bettencourt said. He said that potentially impacted clients were notified and all of the firm's clients were told about the breach.

Internally, "only a few Goodwin employees were affected," and have been notified according to the memo.

"At this time, we have found no evidence that any Goodwin resources were affected other than the file transfer service, and our business operations have not been affected," said Bettencourt, whose memo said Goodwin had been running the most current version of the vendor's service, conducting maintenance, and using security patches.

The email said it was likely "multiple customers" of the file transfer service had been impacted by the breach.

Goodwin was No. 22 in the American Lawyer's most recent rankings of the largest U.S. law firms by gross revenue. The Boston-founded firm, which has offices around the globe, had revenues of about $1.3 billion in 2019.

Goodwin is not alone of course. Seyfarth Shaw was the victim of a malware attack in October. Fragomen and Cadwalader, Wickersham & Taft also reported breaches late in 2020.

Many security breaches happen at law firms, but they often are unreported, particularly if there's no unauthorized acquisition of or access to data, said Christopher Ballod, associate managing director of cyber risk at Kroll and former vice chair of the data privacy and cybersecurity practice at Lewis Brisbois Bisgaard & Smith.

"You're seeing less than the smallest tip of the iceberg in incidents," Ballod said.

I certainly agree with that comment!

Ballod said that the most sophisticated threat actors are always looking at Big Law firms given the amount of sensitive data they possess. Third-party service providers these law firms often use are also potential targets.

Ballod noted that breach concerns at law firms may be higher than in other industries, because law is such a trust-based business.

"So a breach of privacy, any incident at all that could implicate the sanctity of client data is potentially catastrophic, it destroys or damages that carefully crafted brand," he said.

Agreed once again. And I note that Godwin notified all of its clients about the breach, not just those who were impacted. Well done!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson