International law firm Orrick, Herrington & Sutcliffe has gained first-hand experience on the reason they’ve found such a popular niche in the legal sector.
The firm, which offers (among other things) legal counsel to companies in the wake of cyber attacks, suffered its own data breach.
Threat actors stole the personal information of over 637,000 people during the breach in March. Exposed information pertained to a host of Orrick’s clients, which include EyeMed Vision Care, Delta Dental, and Beacon Health Options.
Stolen data included dates of birth, customer names and addresses, as well as government ID numbers, passport details, and social security numbers.
In addition, data pertaining to medical treatments, diagnosis details, and insurance information was accessed by threat actors, the firm revealed.
Though the firm has made minimal public comment, they do appear to have distributed a notice to all the affected customers.
Firms like Orrick, Herrington, & Sutcliffe are a key component in organizational responses to any security incident or data breach. That’s not to say they prevent data breaches from happening, but rather that they mitigate the damages companies experience, potentially enabling them to stay afloat and minimize reputational harm.
Orrick boasts a roster that includes 13 of the 25 largest technology companies and refer to themselves as legal experts in areas of cyber security, regulation, and privacy.
As such, an attack on this big of a name in the tech law sector is sure to turn heads, and other law firms might start to feel they have targets on their backs.
Ian Thornton-Trump, CISO at Cyjax, said the incident highlights serious security failures and could severely impact trust in the law firm.
“It’s not a surprising event—many small, medium, and even large firms are lax when it comes to cyber security, frequently using legacy on-premise infrastructure that is open to the internet,” he said.
“The firm has also remained tight-lipped following the incident and may have failed to learn their lesson on the importance of transparency and timeliness when informing victims of a data breach,” Thornton-Trump added.
“Having recently resolved four class action lawsuits, accusing Orrick of failing to inform victims of the breach until months after the incident, this is not a track record to be proud of. Continued cyber security issues may manifest as significant brand loss.”
Discover how the encrypted threat landscape has changed over time
DOWNLOAD NOW
Rebecca Moody, head of data research at Comparitech said the data breach marks the fifteenth-largest in the US across 2023, underlining the scale of the incident.
Research from IBM shows that over 550 organizations suffered data breaches in the US in 2023, and the global average cost of a breach was bumped up to $4.45 million
Law firms are increasingly becoming a key target for cyber criminals and highly sophisticated ransomware groups due to the critical nature of the data they process and hold.
“Not only does this particular attack highlight that no one is safe from these types of breaches but the growth in ransomware attacks on companies with large databases,” she said.
“Companies like Orrick, Herrington & Sutcliffe increasingly appeal to cyber criminals due to their extensive and sensitive data. Encrypting these systems and extracting data increases hackers' chances of securing a ransom or a payout.”
At present, it remains unclear whether the attackers demanded a ransom from the law firm.
