Prominent law firm Campbell Conroy & O’Neil said it fell victim to a ransomware attack five months ago that resulted in systems holding sensitive information being compromised.
The firm offers services to numerous Fortune 500 and Global 500 companies, including automakers (Ford, Honda, General Motors, Mercedes Benz, and others), aviation and aerospace (British Airways, Boeing, US Airways, and more), energy/utilities, industrial machinery, insurance, and transportation organizations, among others.
Last week, the law firm announced that it detected unusual activity on its network on February 27, and that an investigation into the matter revealed that certain systems were infected with ransomware.
The systems, the company says, held “certain information relating to individuals,” which might have been viewed or accessed by the unauthorized party behind the attack.
The compromised information, the company says, includes names, birth dates, Social Security numbers, driver’s license and passport numbers, state identification numbers, and data related to financial accounts and payment cards.
Furthermore, medical and health insurance information was also compromised, along with biometric data, and even credentials for online accounts in some cases.
“Please note that the information varies by individual and for many individuals, a limited number of data types were determined to be accessible,” Campbell says.
While the firm focused on personally identifiable information (PII) in its disclosure, it left details unclear on what sensitive client business data may have been exposed in the attack.
“The most valuable data at a law firm is certainly not PII as disclosed by the law firm in question. Smart cybercriminals are chasing for sensitive dossiers of wealthy or politically exposed customers, looking for attorney-client privileged information or other sensitive litigation-related data. Modern cyber gangs are well aware of it, moreover, in the Dark Web, there are dedicated channels to buy and sell data from compromised law firms,” Ilia Kolochenko, Founder of ImmuniWeb, told SecurityWeek in an emailed comment.
“Currently, law firms enjoy a very modest data protection regulation regime compared to such industries as banks or healthcare institutions, while processing data of the same or even higher sensitivity. We should expect a steady growth of sophisticated attacks against law firms in the near future,” Kolochenko added.
Related: Continuous Updates: Everything You Need to Know About the Kaseya Attack
Related: CISA Adds Ransomware Module to Cyber Security Evaluation Tool
Related: CISA Warns of Threat Posed by Ransomware to Industrial Systems
