Orrick, Herrington & Sutcliffe, Proskauer Rose, Cravath Swaine & Moore, Mossack Fonseca and Weil Gotshal & Manges: Biggest Legal Industry Cyber Attacks

Orrick, Herrington & Sutcliffe, Proskauer Rose, Cravath Swaine & Moore, Mossack Fonseca and Weil Gotshal & Manges: Biggest Legal Industry Cyber Attacks

Law Firms Under Siege: A Rising Tide of Cyber Attacks Targets the Legal Industry

The legal sector is facing an escalating cybersecurity crisis, with law firms increasingly targeted by sophisticated threat actors. A recent survey by Arctic Wolf and Above the Law revealed that 39% of law firms experienced a security breach in the past year, with 56% of those incidents resulting in the loss of confidential client data a devastating outcome for an industry built on trust and discretion.

Why Law Firms Are Prime Targets

Several factors make law firms particularly vulnerable:

  • Digital transformation: Firms rely heavily on cloud-based applications and web platforms, expanding their attack surface.
  • Valuable data: They store vast amounts of sensitive client information, including financial records, PII, and privileged legal documents.
  • Lack of preparedness: Only 26% of firms consider themselves "very prepared" to respond to cyber incidents.
  • Resource constraints: Many lack dedicated cybersecurity personnel or struggle to meet evolving compliance standards.
  • Sophisticated threats: The average ransom demand for legal organizations reached $1 million in 2023, with attackers exploiting weak incident response (IR) plans and third-party vulnerabilities.

Notable Cyber Attacks on Law Firms

1. Orrick, Herrington & Sutcliffe (2023)

  • Attack type: Data exfiltration (details undisclosed)
  • Impact: Compromised PII and health data of 637,000 breach victims, leading to multiple class-action lawsuits.
  • Target: The firm specializes in data breach litigation, making its own client records a high-value target.

2. Grubman Shire Meiselas & Sacks (2020)

  • Attack type: Ransomware (REvil group)
  • Demand: Initially $21 million, later doubled to $42 million after hackers leaked Lady Gaga’s legal documents.
  • Outcome: The firm denied paying the ransom, though reports suggest a partial payment of $365,000 was made.

3. Proskauer Rose (2023)

  • Attack type: Data breach via unsecured Microsoft Azure cloud server
  • Impact: 184,000+ files exposed for six months, including financial deals, NDAs, and acquisition documents.
  • Response: The firm secured the server and launched an investigation with cybersecurity experts.

4. HWL Ebsworth (2023)

  • Attack type: Ransomware (ALPHV/Blackcat)
  • Impact: 4TB of data (2.2 million files) stolen, including employee IDs, financial reports, and client documentation.
  • Aftermath: Hackers leaked 1.45TB of data on the dark web; an Australian court issued an injunction to block access.

5. DLA Piper (2017)

  • Attack type: NotPetya ransomware (originating in Ukraine)
  • Impact: Global disruption employees lost access to email, phones, and documents. The firm spent 15,000 hours in overtime rebuilding its Windows environment.
  • Attribution: Linked to Russian state-backed actors.

6. Mossack Fonseca (2016)

  • Attack type: Alleged hack (or insider leak)
  • Impact: 11.5 million documents (Panama Papers) exposed, revealing tax evasion schemes and shell companies.
  • Aftermath: Governments recovered $1.2 billion in unpaid taxes; the firm shut down in 2018 amid reputational damage.

7. Cravath Swaine & Moore / Weil Gotshal & Manges (2016)

  • Attack type: Insider trading via malware
  • Perpetrators: Three Chinese nationals stole confidential M&A data, earning $4 million in illicit profits.
  • Penalty: The SEC fined them $8.8 million.

The Broader Impact

Cyber attacks on law firms extend beyond financial losses. Breaches erode client trust, disrupt operations (e.g., frozen billing systems), and trigger regulatory scrutiny. Many firms remain silent about incidents due to lack of mandatory disclosure laws, leaving the full scope of the problem unknown.

As threat actors refine their tactics from ransomware to phishing and insider threats the legal industry must confront its cybersecurity gaps or risk becoming a persistent target.

Source: https://arcticwolf.com/resources/blog/top-legal-industry-cyber-attacks/

Orrick, Herrington & Sutcliffe TPRM report: https://www.rankiteo.com/company/orrick

Proskauer Rose TPRM report: https://www.rankiteo.com/company/proskauer

Cravath Swaine & Moore TPRM report: https://www.rankiteo.com/company/cravath-swaine-&-moore-llp

Mossack Fonseca TPRM report: https://www.rankiteo.com/company/mossack-fonseca-&-co-

Weil Gotshal & Manges TPRM report: https://www.rankiteo.com/company/weil-gotshal-and-manges

"id": "orrweicramospro1782779207",
"linkid": "orrick, weil-gotshal-and-manges, cravath-swaine-&-moore-llp, mossack-fonseca-&-co-, proskauer",
"type": "Breach",
"date": "7/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '637,000 breach victims',
                        'industry': 'Legal',
                        'name': 'Orrick, Herrington & Sutcliffe',
                        'type': 'Law firm'},
                       {'industry': 'Legal',
                        'name': 'Grubman Shire Meiselas & Sacks',
                        'type': 'Law firm'},
                       {'industry': 'Legal',
                        'name': 'Proskauer Rose',
                        'type': 'Law firm'},
                       {'industry': 'Legal',
                        'location': 'Australia',
                        'name': 'HWL Ebsworth',
                        'type': 'Law firm'},
                       {'industry': 'Legal',
                        'location': 'Global',
                        'name': 'DLA Piper',
                        'type': 'Law firm'},
                       {'industry': 'Legal',
                        'name': 'Mossack Fonseca',
                        'type': 'Law firm'},
                       {'industry': 'Legal',
                        'name': 'Cravath Swaine & Moore',
                        'type': 'Law firm'},
                       {'industry': 'Legal',
                        'name': 'Weil Gotshal & Manges',
                        'type': 'Law firm'}],
 'attack_vector': ['Cloud vulnerabilities',
                   'Phishing',
                   'Third-party vulnerabilities',
                   'Unsecured servers'],
 'data_breach': {'data_encryption': ['Yes (NotPetya, ALPHV/Blackcat)'],
                 'data_exfiltration': ['Yes (Orrick, HWL Ebsworth, Grubman '
                                       'Shire Meiselas & Sacks)'],
                 'file_types_exposed': ['Legal documents',
                                        'Financial deals',
                                        'NDAs',
                                        'Acquisition documents',
                                        'Employee IDs'],
                 'number_of_records_exposed': ['637,000 (Orrick)',
                                               '11.5 million (Panama Papers)',
                                               '2.2 million files (HWL '
                                               'Ebsworth)',
                                               '184,000+ files (Proskauer '
                                               'Rose)'],
                 'personally_identifiable_information': ['Yes (Orrick, HWL '
                                                         'Ebsworth)'],
                 'sensitivity_of_data': ['High (privileged legal documents, '
                                         'tax evasion schemes, shell '
                                         'companies)'],
                 'type_of_data_compromised': ['PII',
                                              'Health data',
                                              'Financial records',
                                              'Legal documents',
                                              'NDAs',
                                              'Acquisition documents',
                                              'Employee IDs',
                                              'M&A data']},
 'description': 'The legal sector is facing an escalating cybersecurity '
                'crisis, with law firms increasingly targeted by sophisticated '
                'threat actors. A recent survey revealed that 39% of law firms '
                'experienced a security breach in the past year, with 56% of '
                'those incidents resulting in the loss of confidential client '
                'data. Law firms are prime targets due to their digital '
                'transformation, valuable data, lack of preparedness, resource '
                'constraints, and sophisticated threats like ransomware.',
 'impact': {'brand_reputation_impact': ['Firm shutdown (Mossack Fonseca)',
                                        'Class-action lawsuits (Orrick, '
                                        'Herrington & Sutcliffe)'],
            'data_compromised': ['Confidential client data',
                                 'PII',
                                 'Health data',
                                 'Financial records',
                                 'Legal documents',
                                 'NDAs',
                                 'Acquisition documents',
                                 'Employee IDs',
                                 'M&A data'],
            'downtime': ['15,000 hours (DLA Piper)'],
            'financial_loss': ['$1 million (average ransom demand in 2023)',
                               '$42 million (Grubman Shire Meiselas & Sacks)',
                               '$365,000 (partial ransom payment)',
                               '$1.2 billion (tax recovery post-Panama Papers)',
                               '$4 million (illicit profits from insider '
                               'trading)',
                               '$8.8 million (SEC fine)'],
            'identity_theft_risk': ['637,000 breach victims (Orrick)',
                                    '2.2 million files exposed (HWL Ebsworth)'],
            'legal_liabilities': ['Class-action lawsuits',
                                  'Regulatory fines',
                                  'Injunctions'],
            'operational_impact': ['Global disruption',
                                   'Frozen billing systems',
                                   'Loss of access to critical systems'],
            'systems_affected': ['Cloud-based applications',
                                 'Email systems',
                                 'Phones',
                                 'Document management systems',
                                 'Billing systems']},
 'initial_access_broker': {'data_sold_on_dark_web': ['Yes (HWL Ebsworth)'],
                           'high_value_targets': ['M&A data (Cravath Swaine & '
                                                  'Moore / Weil Gotshal & '
                                                  'Manges)']},
 'lessons_learned': 'Law firms must address cybersecurity gaps, including weak '
                    'incident response plans, lack of dedicated personnel, '
                    'unsecured cloud servers, and third-party vulnerabilities. '
                    "The industry's reliance on digital transformation and "
                    'valuable data makes it a prime target for sophisticated '
                    'threat actors.',
 'motivation': ['Financial gain',
                'Data theft',
                'Insider trading',
                'Reputational damage'],
 'post_incident_analysis': {'corrective_actions': ['Securing cloud servers',
                                                   'Rebuilding systems (DLA '
                                                   'Piper)',
                                                   'Enhancing monitoring',
                                                   'Improving incident '
                                                   'response plans'],
                            'root_causes': ['Weak incident response plans',
                                            'Unsecured cloud servers',
                                            'Third-party vulnerabilities',
                                            'Lack of cybersecurity personnel',
                                            'Sophisticated threat actors']},
 'ransomware': {'data_encryption': ['Yes (NotPetya, ALPHV/Blackcat)'],
                'data_exfiltration': ['Yes (REvil, ALPHV/Blackcat)'],
                'ransom_demanded': ['$21 million (Grubman Shire Meiselas & '
                                    'Sacks)',
                                    '$42 million (Grubman Shire Meiselas & '
                                    'Sacks)',
                                    '$1 million (average in 2023)'],
                'ransom_paid': ['$365,000 (partial payment, Grubman Shire '
                                'Meiselas & Sacks)'],
                'ransomware_strain': ['REvil', 'ALPHV/Blackcat', 'NotPetya']},
 'recommendations': 'Improve incident response plans, invest in dedicated '
                    'cybersecurity personnel, secure cloud environments, '
                    'enhance monitoring, and comply with evolving regulatory '
                    'standards to mitigate risks.',
 'references': [{'source': 'Arctic Wolf and Above the Law survey'}],
 'regulatory_compliance': {'fines_imposed': ['$8.8 million (SEC fine for '
                                             'insider trading)'],
                           'legal_actions': ['Class-action lawsuits (Orrick)',
                                             'Injunctions (HWL Ebsworth)'],
                           'regulations_violated': ['Data protection laws',
                                                    'Tax laws (Panama '
                                                    'Papers)']},
 'response': {'containment_measures': ['Secured unsecured server (Proskauer '
                                       'Rose)',
                                       'Injunction to block dark web access '
                                       '(HWL Ebsworth)'],
              'incident_response_plan_activated': ['Yes (Proskauer Rose)',
                                                   'No (general industry '
                                                   'trend)'],
              'remediation_measures': ['Rebuilt Windows environment (DLA '
                                       'Piper)'],
              'third_party_assistance': ['Cybersecurity experts (Proskauer '
                                         'Rose)']},
 'threat_actor': ['REvil group',
                  'ALPHV/Blackcat',
                  'Russian state-backed actors',
                  'Chinese nationals'],
 'title': 'Law Firms Under Siege: A Rising Tide of Cyber Attacks Targets the '
          'Legal Industry',
 'type': ['Data exfiltration', 'Ransomware', 'Data breach', 'Malware'],
 'vulnerability_exploited': ['Weak incident response plans',
                             'Unsecured Microsoft Azure cloud server',
                             'Lack of dedicated cybersecurity personnel']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.