Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security IT

Law Firm That Handles Data Breaches Was Hit By Data Breach (techcrunch.com) 26

An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims. From a report: San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023. Orrick works with companies that are hit by security incidents, including data breaches, to handle regulatory requirements, such as obtaining victims' information in order to notify state authorities and the individuals affected. In a series of data breach notification letters sent to affected individuals, Orrick said the hackers stole reams of data from its systems that pertain to security incidents at other companies, during which Orrick served as legal counsel.
This discussion has been archived. No new comments can be posted.

Law Firm That Handles Data Breaches Was Hit By Data Breach

Comments Filter:
  • Can't Wait (Score:2, Interesting)

    by Anonymous Coward
    for an AI that's trained on the data that was gathered in all those breaches.
  • by Anonymous Coward
    Who's going to rep Orrick, Herrington & Sutcliffe? Just can't make this stuff up...
  • "San Francisco-based..."
    Ohhhh yeah, that makes sense. You don't even have to tell me how it happened now. Living and operating there on purpose is already the definition of irresponsible and careless.
  • Were the 637,000 people victims of a breach before the law firm had their data, or as a result?

    • It sounds like those people have been re-victimized.

      The law firm was hired to handle things like... mandatory reporting of a prior breach to victims, which required handing over their contact info.

      If there's info in excess of that which was in their possession... then yeah, that's pretty stupid.

      • Re:Before or after? (Score:5, Informative)

        by silentbozo ( 542534 ) on Thursday January 04, 2024 @04:04PM (#64132501) Journal

        Omfg:

        "Orrick said the stolen data includes consumer names, dates of birth, postal address and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver license numbers, and tax identification numbers. The data also includes medical treatment and diagnosis information, insurance claims information â" such as the date and costs of services â" and healthcare insurance numbers and provider details."

        Why would they be keeping that information in a fileshare?

        • In a fairly open and unsecured fileshare too...

          Short answer? They're idiots.

          Long answer? They're friggin' idiots.

    • by gweihir ( 88907 )

      They were victims before, now they will be victims again. A lot of them will _not_ have fixed their issues.

  • Okay (Score:5, Funny)

    by fahrbot-bot ( 874524 ) on Thursday January 04, 2024 @03:58PM (#64132483)

    Law Firm That Handles Data Breaches Was Hit By Data Breach

    That explains the new "Irony" line-item/surcharge on all their client invoices.

  • by Slashythenkilly ( 7027842 ) on Thursday January 04, 2024 @04:07PM (#64132509)
    Those responsible for sacking the people who have just been sacked, have been sacked.
  • At this point it’s not if your data had been stolen, but how many times over has it been stolen.
  • by bumblebees ( 1262534 ) on Thursday January 04, 2024 @05:38PM (#64132773)
    They would learn from their clients... But nooo let's stick all that data on a windows share... Nobody will be able to just grab it.
  • Sloppy. (Score:4, Insightful)

    by MrMacman2u ( 831102 ) on Thursday January 04, 2024 @06:18PM (#64132881) Journal

    While human error is, with near absolute certainty, the trigger; it seems laziness and/or sloppiness is a large part of the cause of this breech. Not only was the investigation on the data that was stolen was completed in october, but the file itself was unencrypted and open to anyone who had access to that share to see, the fact that the file share seems to have been widely accessible in the company and the date was even still around are all severe marks against Orrick.

    I understand there is a balance between convenience and security, but when you're a cyber security law firm dealing with sensitive data; you err FAR to the side of security.

    My money is on a company wide public file share, the attackers phished a lower level dunce and made off with the unsecured plain text digital loot...... for almost 3 weeks.

    Boy howdy, now there's a security company that really knows how to run their business.

  • by Opportunist ( 166417 ) on Thursday January 04, 2024 @06:34PM (#64132913)

    If you want to know what company is vulnerable, and possibly even want a hint where, that's where that data is.

    It's the gift that keeps on giving.

    • by gweihir ( 88907 )

      It does. Most of the target companies that got hit do not actually have a primary IT security problem, but actually have a management/insight/greed problem. The IT security problem just results from that. As management is pretty hard to "fix" (you essentially have to sack them all), many of those targets will remain vulnerable and are a far better investment for attackers than a target that has never been successfully compromised.

      Hence this data is really valuable to attackers and should have been protected

  • Is this Slashdot story ridiculously late, or did it really take them 10 months to notice that somebody broke into their systems?

  • Companies and government agencies getting hacked is boring. When are cyborgs going to get in on the action?

  • Orrick was the go-to legal firm for startups.

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...