Campbell Conroy & O'Neil, P.C., a law firm handling hundreds of cases for the world's leading companies, has announced a large data breach that resulted from a ransomware attack in February.
In a statement released on Friday, the law firm said it noticed unusual activity on its network on February 27. The firm later realized it was being hit with a ransomware attack and contacted the FBI as well as cybersecurity companies for help.
Their investigation revealed that the hackers behind the attack gained access to a database with names, dates of birth, driver's license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials.
The law firm is offering those affected 24 months of free credit monitoring, fraud consultation, and identity theft restoration services.
Campbell Conroy & O'Neil is one of the world's biggest law firms and boasts a client list that includes major corporate giants like Exxon, Ford, Toyota, British Airways, Boeing, Monsanto, Johnson & Johnson, Pfizer, Dow, Fisher-Price, Home Depot, Office Max, Walgreens, Toshiba and more.
Last year, cybercriminals behind the REvil ransomware attacked Grubman Shire Meiselas & Sacks, a high-profile New York law firm with clients ranging from Lady Gaga, Madonna, Mariah Carey and Nicki Minaj to Bruce Springsteen, Bette Midler, U2, Outkast, Jessica Simpson, Cam Newton, Facebook and many more.
Trevor Morgan, product manager with data security specialists with comforte AG, said ransomware groups have long attacked law firms because of the amount of sensitive data they handle on a daily basis, adding that the attack against Campbell Conroy & O'Neil, P.C. was "discomfiting."
"Law firms house massive amounts of information about clients and legal cases—much of that privileged information—and most of that information is highly sensitive and can be used as leverage against the firms themselves (in ransomware attacks) and also to target other victims in a domino effect," Morgan explained.
"Law firms and legal service providers (such as processors of legal discovery data) should be paying attention to this breach and immediately assessing their defensive posture. If you're one of these organizations, you should be asking whether your sensitive data resides in a vulnerable clear state behind what you believe is a well-protected perimeter, or whether you apply some form of data-centric security to it."