Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Four Big Law Firms Report Data Breaches in June

June 27, 2023

The hits just keep on coming in 2023. Law.com reported on June 23rd that four Big Law firms have reported data breaches to state attorneys general in June.

Bryan Cave Leighton Paisner, Gibson, Dunn & Crutcher, and Loeb & Loeb reported data breaches to attorney general offices in Maine, Massachusetts and California, respectively. Meanwhile, Orrick Herrington & Sutcliffe reported a breach on June 6 to the Massachusetts attorney general.

The BCLP breach was filed by a client, snack-food conglomerate Mondelēz International. The company said 51,110 company employees had their Social Security numbers, retirement plan information and other personal information compromised during a breach of BCLP’s systems that occurred the last week of February.

A BCLP spokesperson said the firm acted to contain the breach, including engaging a leading forensics firm and coordinating with law enforcement. It also communicated with affected stakeholders.

Loeb & Loeb’s data breach occurred last June, according to a report filed with the California Office of Attorney General and impacted “certain information related to current or former clients and employees.”

A Loeb & Loeb spokesperson said that a “small part” of the firm’s computer network, “unrelated to critical firm infrastructure and outside of our core database, was subject to unauthorized access.”

“After a comprehensive and time consuming investigation, we confirmed that nearly all of the impacted material was quite dated, but some contained certain personal information belonging to a very limited number of clients, former clients and other persons,” the statement continued, adding that the firm then performed a manual review of the data and notified the affected individuals.

An unauthorized third party accessed two electronic file repositories at a Massachusetts office of Gibson Dunn. The firm said it hired “leading third-party cybersecurity experts” to investigate and contained the incident within one day. “There was no operational impact or impairment to Gibson Dunn’s network or systems. We have been working closely with federal law enforcement and have taken additional security measures to reduce the risk of future incidents,” the firm said. Public records indicate three residents of the state had Social Security numbers and driver’s license numbers accessed by the third party; the firm declined to state whether any client data was accessed.

According to the Massachusetts Office of Consumer Affairs and Business Regulation, Orrick suffered an electronic data breach that impacted six Massachusetts residents, although the firm’s filing did not indicate that any key personal information was compromised.

“On March 13, we identified a threat actor targeting our file storage devices where we maintain certain client files,” Orrick said in a statement. “Our investigation is complete and we have notified those clients who had affected files. We did not experience any client service or operational disruptions, nor did we identify any ransomware related to this attack. We reported the matter to law enforcement.”

The four June reports follow a multitude of law firm data breaches reported in the past year. In April, Proskauer Rose confirmed it was hacked through a third-party vendor contracted to set up the firm’s cloud site through Microsoft Azure. Cadwalader, Wickersham & Taft had its internal document management system taken offline for weeks in a November breach, and New Jersey-based midsize firm McCarter & English experienced a breach that crippled the firm’s internal communications last April.

With so many big players impacted, lawyers of all size firms need to constantly monitor their cybersecurity measures and develop comprehensive incident response plans.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology