By Emma Nitzsche
Campbell Conroy & O’Neil, a major law firm that advocates for hundreds of influential organizations, confirmed a ransomware attack in February of this year. The breach may have leaked Social Security numbers, health insurance information, and even biometric data.
The law firm represents clients in over a dozen sectors of the economy, including Ford, Boeing, Exxon Mobil, Quest Diagnostics, Liberty Mutual, Johnson & Johnson, Walgreens, Monsanto, FedEx, and Coca-Cola.
“We determined that the information present in the system included certain individuals’ names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (usernames and passwords),” Campbell said on their website.
When the firm detected the attack, it notified the FBI immediately. Most recently, the FBI encouraged businesses to refrain from paying ransom to cybercriminals. However, it is not yet known if Campbell Conroy & O’Neil paid any money to the hackers. It is reported that Cambell hired third-party forensics investigators to determine the information affected by the breach.
In recent months, there has been an increase in cyber-attacks on critical companies throughout the U.S. For example, the attack on the Colonial Pipeline in May disrupted the gas supply chain and subsequently caused widespread panic buying. Shortly after, a cyberattack against JBS Foods temporarily shut down nine U.S. beef processing plants.
Last year, the REvil ransomware cybercriminal group attacked Grubman Shire Meiselas & Sacks. The law firm represented high-profile clients such as Lady Gaga, Mariah Carey, and Bruce Springsteen. Some of its clients even include companies like Facebook, iHeartmedia, IMAX, Sony, and HBO. The cybercriminals expected 12 Bitcoin as ransom in exchange for the decryption key.
Trevor Morning, a product manager with data security specialists, said law firms are a key target for ransomware attacks because they hold a vast amount of sensitive information.
“Law firms and legal service providers should be paying attention to this breach and immediately assessing their defensive posture,” Morning explained. “If you’re one of these organizations, you should be asking whether your sensitive data resides in a vulnerable clear state behind what you believe is a well-protected perimeter, or whether you apply some form of data-centric security to it.”
In its statement, Campbell said it reviewed its existing privacy features and working to limit access to secure information. Additionally, it will offer 24 months of complimentary access to credit monitoring, fraud consultation, and identity theft restoration services to clients whose Social Security numbers may have been accessible from the breach.