Law Firm Serving Fortune 500 Firms Hit by RansomwareHackers Accessed System Containing PII
Campbell Conroy & O’Neil, a Boston-based law firm that serves Fortune 500 firms, including Apple and Pfizer, is continuing its investigation of a ransomware attack in February that resulted in unauthorized access to certain data about its clients.
The law firm says it "alerted the FBI of the incident" and posted a breach notification on its website Sunday because "the investigation thus far determined that certain information relating to individuals was accessed by the unauthorized actor."
In addition to Apple and Pfizer, the firm's clients include dozens of Fortune 500 and Global 500 companies, such as Marriott International, Boeing, British Airways, Allianz Insurance, Johnson & Johnson and Mercedes Benz.
The law firm says that the attack has now been contained and that there is no active threat to the firm’s network. It did not specify if any data was exfiltrated or leaked. It reported that one of the systems accessed by the hackers that contained sensitive personal information was encrypted by the intruders.
Campbell Conroy & O’Neil told Information Security Media Group that it became aware of unusual activity on its network on Feb. 27 and conducted an investigation that determined ransomware was involved. Regarding the delay in reporting, it said: "It takes time to review the data accessed by the unauthorized actor and to determine notification obligations."
The law firm told ISMG that it was the target of a ransomware attack "which prevented access to certain files on the system. In response, Campbell began working with third-party forensic investigators to investigate the full nature and scope of the event and also alerted the FBI of the incident."
The firm has notified individuals whose information was accessed by the unauthorized actor. It says the breached system contained individuals’ names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data and/or online account credentials, such as usernames and passwords. The firm did not specify how many individuals were affected, simply stating, “a limited number of data types were determined to be accessible."
Campbell Conroy & O’Neil is offering 24 months of prepaid credit monitoring, fraud consultation, and identity theft restoration services to individuals whose Social Security numbers or the equivalent were accessible as a result of the security incident. It says it's working with third-party forensic investigators to investigate the full nature and scope of the event and to determine what information may have been exposed.
The law firm tells ISMG that it's reviewing its policies and procedures and working to implement additional safeguards to further secure its information systems, saying its systems are now "fully operational" and it "does not anticipate any significant impact to ongoing litigation nor to our representation of our valued clients."
Others at Risk?
If data on Fortune 500 companies, was, indeed exposed in this breach, it could open the door to other breaches, says Javvad Malik, security awareness advocate at KnowBe4.
Cybercriminals are increasingly stealing data that they can use to fuel other attacks, Malik says. "Because of this, we're seeing more organizations targeted which have traditionally not been on criminals’ radars," he says. "This is why it's important that organizations of all sizes and across all industry verticals invest in robust cybersecurity controls, which encompass the technologies, processes and people to reduce the likelihood of becoming victims."
Trevor J. Morgan, product manager at German data security company comforte AG, adds: "Law firms and legal service providers - such as processors of legal discovery data - should be paying attention to this breach and immediately assessing their defensive posture. If you’re one of these organizations, you should be asking whether your sensitive data resides in a vulnerable clear state behind what you believe is a well-protected perimeter, or whether you apply some form of data-centric security to it."
Reward for Reporting
In response to the current surge in ransomware and other cyberattacks, the U.S. Department of State said last week it will offer rewards of up to $10 million for information about cyberthreats to the nation's critical infrastructure (see: US Offering $10 Million Reward for Cyberthreat Information).
The Cybersecurity and Infrastructure Security Agency also launched a new ransomware resources website called StopRansomware for businesses, individuals and organizations.