Law Firm That Handles Data Breaches Was Hit By Data Breach (techcrunch.com) 26
An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims. From a report: San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023. Orrick works with companies that are hit by security incidents, including data breaches, to handle regulatory requirements, such as obtaining victims' information in order to notify state authorities and the individuals affected. In a series of data breach notification letters sent to affected individuals, Orrick said the hackers stole reams of data from its systems that pertain to security incidents at other companies, during which Orrick served as legal counsel.
Can't Wait (Score:2, Interesting)
The irony is thick here. (Score:1)
Re: (Score:2, Funny)
Re: (Score:1)
The vast majority of businesses run MS products, so yeah the odds would be that most businesses getting hacked run Windows, but plenty running *nix have been hacked as well. Correlation does not equal causation. Most of these incursions happen through social engineering. The article makes it sound like the data was stored on a file share probably open to nearly everyone in the company. How would *nix fix that? Has absolutely nothing to do with the underlying software running the business. Piss poor se
Re: (Score:2)
Re: (Score:2)
However, Active Directory has a really bad history (sendmail level bad).
Huh? Please be specific.
I cracked the case! (Score:2, Funny)
Ohhhh yeah, that makes sense. You don't even have to tell me how it happened now. Living and operating there on purpose is already the definition of irresponsible and careless.
Before or after? (Score:2)
Were the 637,000 people victims of a breach before the law firm had their data, or as a result?
Re: (Score:3)
It sounds like those people have been re-victimized.
The law firm was hired to handle things like... mandatory reporting of a prior breach to victims, which required handing over their contact info.
If there's info in excess of that which was in their possession... then yeah, that's pretty stupid.
Re:Before or after? (Score:5, Informative)
Omfg:
"Orrick said the stolen data includes consumer names, dates of birth, postal address and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver license numbers, and tax identification numbers. The data also includes medical treatment and diagnosis information, insurance claims information â" such as the date and costs of services â" and healthcare insurance numbers and provider details."
Why would they be keeping that information in a fileshare?
Re: (Score:2)
In a fairly open and unsecured fileshare too...
Short answer? They're idiots.
Long answer? They're friggin' idiots.
Re: (Score:2)
They were victims before, now they will be victims again. A lot of them will _not_ have fixed their issues.
Okay (Score:5, Funny)
Law Firm That Handles Data Breaches Was Hit By Data Breach
That explains the new "Irony" line-item/surcharge on all their client invoices.
The Holy Grail of incompetence (Score:3)
Not if, but how many times.. (Score:2)
Re: (Score:2)
You have that ass-backwards. No surprise given your history here.
One would think .. (Score:3)
Sloppy. (Score:4, Insightful)
While human error is, with near absolute certainty, the trigger; it seems laziness and/or sloppiness is a large part of the cause of this breech. Not only was the investigation on the data that was stolen was completed in october, but the file itself was unencrypted and open to anyone who had access to that share to see, the fact that the file share seems to have been widely accessible in the company and the date was even still around are all severe marks against Orrick.
I understand there is a balance between convenience and security, but when you're a cyber security law firm dealing with sensitive data; you err FAR to the side of security.
My money is on a company wide public file share, the attackers phished a lower level dunce and made off with the unsecured plain text digital loot...... for almost 3 weeks.
Boy howdy, now there's a security company that really knows how to run their business.
Makes sense (Score:3)
If you want to know what company is vulnerable, and possibly even want a hint where, that's where that data is.
It's the gift that keeps on giving.
Re: (Score:3)
It does. Most of the target companies that got hit do not actually have a primary IT security problem, but actually have a management/insight/greed problem. The IT security problem just results from that. As management is pretty hard to "fix" (you essentially have to sack them all), many of those targets will remain vulnerable and are a far better investment for attackers than a target that has never been successfully compromised.
Hence this data is really valuable to attackers and should have been protected
March of last year? (Score:2)
Is this Slashdot story ridiculously late, or did it really take them 10 months to notice that somebody broke into their systems?
Re: (Score:3)
They probably kept hoping this would blow over for 10 months...
Still waiting for an actual cyber attack (Score:2)
Companies and government agencies getting hacked is boring. When are cyborgs going to get in on the action?
The bigger news is Orrick was hit (Score:2)