Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Cadwalader Law Firm and Two Bar Associations Breached

November 11, 2020

Law.com reported on November 9 that The New York City Bar Association and the Chicago Bar Association have reported data breaches this year, according to reports filed with the Maryland attorney general's office.

Also, Cadwalader, Wickersham & Taft reported a vendor data breach incident to Massachusetts state officials.

According to Cadwalader's notice, the firm reported that one of its third-party vendors, TBG West Insurance, suffered a ransomware attack on March 27 that encrypted files within its system. Ultimately, the vendor "paid the ransom to regain access to their data," according to the notice, which Law.com obtained through a public records search.

The insurer's investigation determined that some files may have been copied during the attack, including "[Cadwalader] current and former employee information." Cadwalader was notified by the insurer in July.

The law firm reported in its filing changes the vendor made to enhance security and that all employees potentially affected would be sent notices by July 30. Cadwalader reported that it was also evaluating its own assessments of vendor security.

Further, Cadwalader indicated that the incident did not occur on Cadwalader's systems. In a statement to Law.com on Monday, the firm added that "the vendor breach didn't impact the firm's systems or any client data."

The New York and Chicago bar association compromises involved credit card information, potentially gathered through unauthorized code inserted into third-party commerce and management software known as iMIS on their websites. The associations became aware of the vulnerabilities between April and May, they wrote in notice letters to Maryland Attorney General Brian Frosh during the summer of 2020.

The New York City Bar Association and City Bar Fund stated that the code was on its website between April 23 and May 1. The Chicago Bar Association said its investigation showed the code was present between May 22 and May 28.

"As a result, the malicious code may have allowed an unauthorized individual to collect credit card data from transactions that occurred within this time period," wrote Chicago Bar Association counsel Ernest F. Koschineg of Cipriani & Werner in a memo dated July 13. "Importantly, the vulnerability, as well as the malicious code, has been removed."

It is not known how many people were impacted by compromise of the bar groups. In order to defend against similar incidents, the New York City Bar said it has "implemented advanced malware protection software with enhanced monitoring and alerting capabilities."

Law firm data breaches have certainly been in the headlines and in this blog this year. As readers may recall, in mid-October, law firm Seyfarth said the firm was victimized by "a sophisticated and aggressive malware attack that appears to be ransomware." And immigration firm Fragomen also reported last month that it experienced a data breach affecting a number of Google employees, Google being one of its clients.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson