The cyberattack on midsize Philadelphia law firm Stevens & Lee grew to include 23,066 people whose personal information was potentially compromised, including clients of the firm’s financial institution clients, according to public records.
The new figure, revealed in notices to authorities last month, is a sharp increase from the 344 potentially affected people reported by the 185-lawyer firm in December following the June 2021 cyberattack.
The breach is another reminder of the vulnerability of law firms, not just because of their vast repositories of client information, but because of their access to clients’ personal client information, which can be sold on the dark web or used as leverage to extort A firm.
Stevens & Lee initially alerted state attorneys general and affected consumers to the breach in December. In a notice to authorities at the time, the company said an unauthorized third party may have gained access to the personal information of the company’s customers “or, as in your case, certain customers of our customers.”
“You may not have heard of us, but we are a law firm that assists financial institutions, one of which was a financial institution that you had an account with or that provided services related to loans or accounts you held,” the firm said in letters to those affected, offering them free identity monitoring services.
“While at this time we have no evidence that any information has been misused, and no conclusive evidence that your specific information has been accessed, as a precaution we provide you with free credit and protection against identity theft,” the company wrote. .
Law firm attorney Richard Goldberg, a Philadelphia-based partner at Lewis Brisbois Bisgaard & Smith, reported to state authorities that the individuals’ personal information – including names, social security numbers, driver’s license number and account and card numbers – may have been accessed. in the breach.
The impact of the breach was felt in several states.
In Massachusetts, the company previously reported that two residents were affected. This number was updated to 1,835 in April, according to a data breach incident report. by Goldberg to the state’s attorney general, Maura Healey.
In Maine, newly leaked records from the state attorney general’s office show the company updated the number of affected people from 1 to 1,058 last month.
Goldberg and Jeanna Hahn, the company’s chief marketing officer, did not respond to requests for comment.
The most common cyberattacks faced by law firms are ransomware, work email compromise and “social engineering,” or manipulating staff to leak key information that would give access to the firm’s network, Karen said. Painter Randall, chair of the cybersecurity and data privacy practice. and Co-Chair of the Professional Liability Practice at Connell Foley.
“The fast-paced environment of a law firm often leads employees to be fooled by the false urgency of sophisticated phishing emails,” Randall said. “These emails can give a hacker access to either the corporate network or an employee’s email account, or both.”
In response to the threats posed by malicious actors, major law firms have increased their spending on the technology infrastructure protecting their networks. Cybersecurity lawyers say it’s a shift from the historical view law firms have had of IT as an expensive budget item that doesn’t pay off enough to justify the investment.
“The cost of security is probably the biggest increase in our technology budget,” said Mark Morris, managing partner of Fox Rothschild. He added that IT spending was one of the biggest percentage increases in the company’s budget, rivaling real estate spending.
“Letters of engagement with customers dictate the levels of security you need. That’s really important,” Morris said. to save money.”
Similarly, Armstrong Teasdale earlier this year promoted its chief information officer, Tim Pyatt, to the new position of chief information officer. “We serve a number of banks and hospital systems, so data privacy is of the utmost importance,” said Patrick Rasche, the firm’s managing partner.
Cybersecurity experts say traditional law firm defenses have been reduced with the advent of remote working, as home Wi-Fi networks may not be as secure and offer hackers multiple distributed points of attack. .
Identifying a suspicious connection is difficult when employees are working remotely, said Chris Loehr, chief technology officer at cyberinsurer CFC Response. That’s because accessing a company’s network from an offsite location or late at night—which were once warning signs of questionable activity—has become a common feature of network models. modern work.
“It used to be that you could detect things much more easily based on people’s patterns, but people’s patterns aren’t the same anymore,” Loehr said.