Lawyers have a duty under attorney-client privilege, Rule 1.6 of the ABA Model Rules, and the HIPAA security rule as business associates to safeguard information they receive in the course of their work and avoid accidental disclosure of confidential information. This duty imposes a great burden on lawyers to take more initiatives to secure digital and physical data from unauthorized access and protect the confidentiality and availability of such information.;xNLx;;xNLx;The timeline highlights recurring technical, client, and organizational impacts of information security compromises, including the loss of client data, unauthorized access to sensitive client information, operational disruptions, diminished client trust, reputational damage, and legal and financial liabilities stemming from credit monitoring provisions and breach-related litigation.;xNLx;;xNLx;Recurring patterns and trends are analyzed at the end of the timeline.;xNLx;
The firm, which was representing a software developer in a federal-court piracy case against the Chinese government experienced a phishing attack that was believed to have originated from China. According to the firm, attorneys at the law firm began receiving customized Trojan e-mails that appeared to come from other employees of the firm. The emails, at least some of which originated in China, attempted to trick the target into clicking on a link or attachment. The firm did not disclose whether the attack was successful.
VG is the pseudonym for a Pittsburgh-based law firm whose identity was hidden. On November 28, 2011, Matthew West, an employee of VG who had been fired that day, acted in association with external actors, Alyson and Jonathan Cunningham, to install malware on the computer server of the law firm, using a password provided to him by Alyson. The malware could capture the passwords of anyone in the firm's network. On November 29, 2011, West sent an email to a partner at the law firm using an anonymous email account, stating that the firm's web servers had been compromised and its backup files had been copied and deleted. West stated that the hackers' motive was to capture and record the data of 100% of Pittsburgh records and operations and use it against the firm if they had to. Based on an FBI investigation, the threat actors were arrested and prosecuted for unlawful trafficking in computer passwords and reckless damage to a protected computer. The number of persons potentially affected by this incident was not disclosed. Technical impact: Unauthorized access to confidential data.
Personal information of persons who applied for registration as broker-dealer agents and/or investment adviser representatives was inadvertently released as the unit as part of a bulk data request
A burglary at the home of one of the attorneys, Kevin Staker, led to the stealing of the firm’s backup hard drive, which contained clients’ files that had their social security numbers and other asset information. The number of persons potentially affected was not disclosed. Technical Impact: Unauthorized access to confidential data and potential data loss.
The firm did not disclose the details of the breach but only reported that electronic records of 15 people were affected. Date on which the breach occured was not disclosed but was reported on March 14, 2014
A laptop of the firm that contained identifiable client information, including their names, dates of birth, and social security numbers, was stolen. The number of persons potentially affected by this physical compromise was not disclosed.
The four-member firm experienced a ransomware attack that resulted in the stealing of privileged data belonging to its client, Hiscox Insurance, and clients of Hiscox. The firm hired itself to investigate and contacted the FBI about the attack; however, it is not clear whether it also hired forensic experts to investigate the scope and extent of the incident. The firm did not inform Hiscox about the data breach at the time it occurred but rather paid the ransom demanded by the hacker group, Dark Overlord, to keep the stolen data private. Two years after the incident, an employee of Hiscox discovered data belonging to Hiscox and its clients on the dark web. Hiscox engaged forensic experts on hearing about the breach and notified all its customers about the breach. Hiscox then sued the breach for its ethical duty of confidentiality and its failure to notify it about the breach as required by Missouri law.
The firm was the subject of a burglary that resulted in the theft of a laptop belonging to one of its lawyers. The laptop contained personal information of its clients, which may have been accessed as a result of the theft.
Hackers believed to have been employed by the Chinese government hacked into the firm's servers and obtained personal information of one of its clients, Guo Wengui, a Chinese citizen, who had retained the firm in relation to his asylum petition. The personal information of Wengui and his wife, which was obtained by the hackers, was published on social media. Wengui sued the firm for breach of loyalty, citing that he had warned the firm before retaining it of the potential that his Chinese political opponents might seek to attack its computer systems to access his personal information. The firm, however, did not do anything to prevent the security attack despite assuring the client of its robust security measures. Technical Impact: Unauthorized access to confidential data.
A hard drive containing clients' files and personal information was stolen from an employee's vehicle.
Threat actors gained access to certain client information from the firm's network and demanded a ransom in exchange for the information. It was not disclosed whether the ransom was paid. The total number of people potentially affected by the incident was also not revealed.
The firm noticed that an unauthorized person gained access to the email account of one of its employees. Investigations conducted revealed that personal information, social security numbers, medical information, and insurance details of certain persons were acquired as a result of the incident.
The firm experienced a ransomware attack that gave unauthorized access of client data, which included pain diaries from personal injury cases, fee agreements, and HIPAA consent forms, to Maze, a notorious ransomware group. The personal data was further exposed to the public when Maze published it on a hosted site to induce the firm to pay the ransom demanded. It is not known if the firm paid the ransom, but its name was removed from the list a week after the publication. The number of people potentially affected by the incident was not disclosed.
Based on a forensic investigation, the firm discovered that a threat actor had gained unauthorized access to a number of its email accounts. the investigation determined that the names, social security numbers, drivers licenses, financial account numbers and other card payment information of about 14,450 persons had been potentially exposed by the incident. The firm provided a 1-year complimentary identity theft protection to the affected individuals. Technical Impact: Unauthorized access to confidential data
Threat actors gained unauthorized access to the email accounts of some employees of the firm. While the manner in which the breach occurred was not disclosed, the incident exposed the PII, PHI, and financial account information of 327 persons, which was stored in the affected email accounts. The firm notified the potentially affected persons and offered them 2 years of credit reports, credit monitoring, identity restoration, and identity-theft insurance. Technical Impact: Unauthorized access to confidential information
The firm was a victim of a ransomware attack that led to the attackers gaining unauthorized access and stealing PII, social security numbers, medical information, and bank account details received by the firm in the discharge of its legal duties. About 115 Iowa residents were affected by the security incident. While the attackers threatened to release the data to the public, it is not known whether the data was released or whether the firm paid the ransom.
The law firm reported that a security incident compromised the ability of more than 800 attorneys to access their emails and work files. As a precautionary measure, the firm took down its system after its internal warning systems detected suspicious activity on the network. The firm stressed that there was no indication that any client's data was compromised as a result of the attack. The type of the security attack was also not disclosed. Technical Impact: System downtime and business disruption
Threat actors gained unauthorized access to multiple email accounts of the firm and exposed the names, addresses, dates of birth, social security numbers, and financial account details of 800 persons. The firm offered complimentary credit monitoring and identity protection services to the potentially impacted persons.
The entertainment firm, which is used by numerous celebrities, including Lady Gaga, Madonna, Drake, and Mariah Carey, was hit with an REvil ransomware attack that resulted in the theft of 756 gigabytes of data, which included artists' contracts and emails. The threat actors demanded $21 million initially but increased it to $42 million when the group discovered files related to Donald Trump. The firm refused to pay the ransom and lost some data as a result. The actual date of the breach was not disclosed.
A threat actor gained unauthorized access into the email account of the firm's bookkeeper and set up a rule that forwarded certain emails from the bookkeeper's email account to a third party phantom email address. The emails contained personal information of certain persons and information for client cases. It did not disclose the form of attack that resulted in the unauthorized access to the email account.
The data breach occurred when a threat actor accessed the computer network of the firm. The names, social security numbers, and financial data of about 1098 Washington residents were affected. The total number of affected persons was undisclosed. Technical impact: Unauthorized access to confidential data
The breach occurred when an unauthorized actor accessed an employee's email account for 10 minutes and potentially exposed the full names and social security numbers of 16 Montana residents. The total number of people potentially affected by the breach was not disclosed. Technical Impact: Unauthorized access to confidential data
A successful phishing attack on the email account of an employee of the center gave unauthorized access to all emails and attachments sent to and from the email account. Based on the report of investigations into the security attack, the center notified all the people that had any form of correspondence with the affected email account of a likely security breach. Technical Impact: Unauthorized access to confidential data
MKRS discovered on February 12, 2022, that a threat actor gained unauthorized access to information stored on its network about 18 months prior to its discovery of the incident. The security breach resulted in the compromise of the names and social security numbers of 16,471 persons. The firm notified the potentially affected persons of the incident and offered them one year of complimentary credit monitoring services
A threat actor compromised the firm's network systems and illicitly accessed a single file with personal data of a discrete number of current and past employees of Google. The affected persons were notified of the security incident and offered free credit monitoring and identity theft protection. The company did not disclose how many employees were affected or what type of information was accessed.
The firm detected an unauthorized activity on its network system and acted quickly to prevent its spread and protect its systems. Although Seyfarth stressed that it found no evidence that client or internal data was removed or accessed, many computer systems were encrypted, forcing the IT team to “shut them down as a precautionary measure.” The company fell victim to a ransomware attack that spread aggressively across its network and forced it to shut down its email service and other systems. The firm says it was able to stop the attack soon after detection, but not before data on many systems was encrypted by the malware. It took the firm some days to restore its system fully.
In or around November 2020, threat actors associated with the Microsoft Hafnium cyberattack gained unauthorized access to Covington’s computer network and certain individual devices. Non-public information of certain Covington clients, including 298 companies regulated by the Securities and Exchange Commission (SEC), was compromised by this security event. After Covington learned of the unauthorized access, it compiled a list of potentially affected clients. Covington traced the threat to the intentional and malicious acts of a foreign actor. Alarmed that confidential data of its regulated companies could be accessed by foreign agents, SEC requested the firm to disclose the companies under its regulation that were affected by the incident. SEC filed a subpoena against the firm requesting the release of the list of companies regulated by SEC that were affected when the firm failed to honor its request.
Threat actors gained unauthorized access to the email account of one of the firm's employees. The potential information accessed and acquired included the personal information, financial account details, and credit or debit card numbers of 1100 persons, 827 of them being Maine residents. The firm offered complimentary twelve-month identity protection services. Technical Impact: Unauthorized access to confidential information
A burglary incident at the firm resulted in the theft of one of the firm's laptops and other storage devices containing client and case data. The data included PII, PHI, and social security numbers. The total number of persons affected was not disclosed.
The breach occurred when the firm unintentionally disclosed the electronic PHI of 1419 individuals. The information included the names and treatment information of the affected individuals. The firm reported the incident to the US Department of Health and Human Services and provided HIPAA training to its employees and legal representatives. Technical Impact: Unauthorized access to confidential information
The firm experienced a data breach that compromised the electronic records of 5 Massachusetts residents. The information included their social security numbers, account numbers, and driver's licenses. The notice of the breach given to the Massachusetts Office of Consumer Affairs and Business Regulation did not specify the nature of the breach or how it occurred. Technical Impact: Unauthorized access to confidential information
On January 31, 2021, the Ohio-based firm, which provided legal services to a number of healthcare systems in the state, discovered that it had been a victim of a ransomware infection. Bricker engaged a cybersecurity firm whose investigations revealed that a threat actor had accessed and exfiltrated files containing client information and other sensitive data from the firm's internal system. The PHI, educational information, and Social Security numbers of about 430,185 individuals were potentially compromised by the incident. Although the firm notified the potentially affected persons in April 2021, it was sued in a class action for the data breach and its failure to protect sensitive healthcare information of the affected individuals. The firm settled the matter by agreeing to pay $1.95 million to resolve the claims. Technical Impact: Unauthorized access to confidential information Organizational Impact: Negative media attention, reputational damage, and legal and financial liabilities.
A malware attack on the firm's computer systems exposed the names and social security numbers of 120 persons to unauthorized access by threat actors. The firm notified the potentially affected persons and offered them 24 months credit monitoring services through Kroll.
Goodwin Procter fell victim to a data breach after a vendor it uses for large file transfers recently reported it was hacked. Goodwin’s breach investigation revealed that a “small percentage” of the firm’s clients “may have experienced unauthorized access to or acquisition of confidential material”. According to the firm, potentially impacted clients were notified, and all of the firm’s clients were informed about the breach Technical Impact: Unauthorized access to confidential information
On April 12, 2021, MBJ found evidence of fraudulent emails in the email account of one of its employees. This prompted the firm to conduct a forensic investigation with the assistance of a cybersecurity firm to ascertain whether a security breach had occurred. The investigation revealed that two MBJ email accounts were compromised during the breach period, which potentially affected the PII, PHI, financial information, and other sensitive information of about 1732 individuals. The firm notified the potentially affected persons and also informed the Attorney General of their states.
Lanier suffered a sophisticated malware attack, which encrypted a number of its computer systems when external threat actors gained access to some of its computer systems during the breach period. The encryption prevented the firm from gaining access to some of its files. The firm investigated the incident, regained access to the encrypted files, and also reported the incident to federal law enforcement. Lanier also notified the 55,869 potentially affected persons of the compromise of their personal information and offered them complimentary credit monitoring and identity restoration services for a year. Technical Impact: Unauthorized access to confidential information and business disruption
A phishing email containing a malicious link was sent to several employees of the firm, but only one email account was potentially affected. Forensic experts engaged by the firm determined that the PII and financial account details of 567 persons were potentially impacted by the incident. The firm provided credit monitoring services to the affected persons for one year. Technical Impact: Unauthorized access to confidential information
On October 19, 2021, the firm discovered that a phishing attack on the email account of one of its employees had compromised the personal information and social security numbers of 11,564 persons. The firm notified the potentially affected persons and also offered 1 year of complimentary credit monitoring and identity theft services to the persons affected. Technical Impact: Unauthorized access to confidential information
The firm was a victim of a ransomware attack that temporarily affected the availability of its network systems and disrupted its operations. Upon discovery of the attack, the firm commenced an investigation that revealed that the threat actors had accessed and acquired files containing the names and social security numbers of 1090 people. The firm notified law enforcement and the potentially impacted persons. It also provided 1 year identity protection to the affected persons. Technical Impact: Unauthorized access to confidential information Organizational Impact: Financial liability
The firm was a victim of a sophisticated ransomware attack, which resulted in unauthorized access to its network by external threat actors. The threat actors sent a digital note to the firm stating that they had obtained certain data from its network, which included the PII of 234 people. The firm notified the FBI and engaged forensic experts to investigate the incident. The firm also provided 12 months of credit monitoring and identity theft protection to the affected persons at no charge. Technical Impact: Unauthorized access to confidential information
Based on an alert to the malfunctioning of the firm's email system, Sherin and Lodgen conducted a forensic investigation with third-party IT providers, which revealed that a threat actor had accessed and acquired certain files from the firm's system, which included the personal data of about 416 persons. The nature of the personal data compromised was not provided by the firm. Technical Impact: Unauthorized access to confidential information
The firm reported a data breach to the Indiana office of the Attorney General on September 9, 2021, which affected 446 individuals. The breach notice did not provide details on the nature of the breach or how it occurred. The firm also failed to specify what type of information was impacted by the breach. Technical Impact: Unauthorized access to confidential information
The firm discovered on July 15, 2021, that threat actors had gained unauthorized access to its network, potentially affecting the personal information of 3 Maryland residents. The personal information compromised included their financial account number and routing number. The firm notified the Maryland Office of the Attorney General and the affected persons of the breach. Technical Impact: Unauthorized access to confidential information
A threat actor gained access to the law department's network when he stole the email login details of an employee of the department. The hack was enabled by the department’s failure to implement a basic safeguard of multifactor authentication. The nature and scope of the attack were not disclosed by the department but were believed to be a malware attack. The number of persons potentially affected was also not disclosed.
Threat actors hacked into the firm's system and acquired certain HR records. Investigations into the incident revealed that names, contact information, dates of birth, social security numbers, and certain employment-related information of 862 people (most likely current and former employees) were impacted. The firm offered 3 years of identity restoration and credit monitoring services to the affected persons. Technical Impact: Unauthorized access to confidential information
On August 9, 2021, SGR discovered that some documents stored in its information technology system had been stolen by unknown threat actors. It conducted investigations into the incident, which revealed that the PII of about 78,479 persons had been stolen during the breach period. Despite its knowledge of the incidence since August 2021, SGR notified the affected persons after a year or more. SGR was sued by at least 2 affected persons for the data breach and its failure to notify the affected persons on time. On December 4, 2024, the parties to both suits entered into a voluntary dismissal of the suits. Technical Impacts: Unauthorized access and loss of confidential data Organizational Impact: Legal and financial liabilities
An unauthorized party accessed some files from the firm's systems. The files contained personal information, medical information payment card details, and social security numbers of certain people. The total number of people affected in Washington was 2,170.
External threat actors conducted a ransomware attack on two of the firm's computer servers, which resulted in unauthorized access to the PII of 29,204 persons. The personal information included the names and social security numbers of the affected persons. Technical Impact: Unauthorized access to confidential data
A Texas law firm discovered on October 1, 2021, that a threat actor had hacked into its network and removed the full name, medical diagnosis/treatment, and health insurance information of one Maryland resident from its network. Technical Impact: Unauthorized access and loss of confidential data
In November 2021, Haggard was alerted to a suspicious activity by a third party, which suggested a potential email compromise. Investigations conducted revealed that a threat actor gained unauthorized access to the business email account of one of its employees. The 1244 persons affected by the security breach were notified and provided credit monitoring and identity theft protection services. It is likely that the suspicious activity that resulted in this security compromise resulted from the hack into the email account of Adam Finkel Esq, an attorney at Haggard, that led to an alleged fraudulent payment of a portion of the settlement amount of one of Haggard's clients to an unknown threat actor. This incident resulted in a lawsuit commenced by United Parcel Service (UPS) against Haggard for breach of a confidentiality agreement. Technical Impact: Email communication compromise and fraudulent transactions
We'd love to hear from you. Please send questions or feedback to the below email addresses.
Before contacting us, you may wish to visit our FAQs page which has lots of useful info on Tiki-Toki.
We can be contacted by email at: hello@tiki-toki.com.
You can also follow us on twitter at twitter.com/tiki_toki.
If you are having any problems with Tiki-Toki, please contact us as at: help@tiki-toki.com
Close