Recently, Williams & Connolly reported to the Attorney General of the Commonwealth of Massachusetts that it had experienced a data breach in which sensitive personal identifiable information in its care may have been compromised. According to the breach notice, in late August 2025, Williams & Connolly discovered unauthorized access to certain systems on its network.1 As a result, Williams & Connolly launched an investigation to determine the nature of the incident.
Through its investigation, Williams & Connolly confirmed that sensitive personal information in employee email accounts may have been accessed by an unauthorized third party during the breach. As a result, Williams & Connolly began a review of the data to determine what information had been impacted as well as identify the specific individuals affected. While the information impacted varies depending on the individual, the type of information potentially exposed includes:5
Name
Social Security number
As a result of the breach, Williams & Connolly began mailing data breach notification letters to impacted individuals. Based on the breach notice sent to Massachusetts residents, Williams & Connolly is providing affected individuals with a list of the specific types of sensitive information impacted and 24 months of complimentary credit monitoring services. A link to the breach notification letters that Williams & Connolly filed with the Attorney General of the Commonwealth of Massachusetts is below.
Source: https://straussborrelli.com/2025/12/01/williams-connolly-data-breach-investigation/
Williams & Connolly LLP cybersecurity rating report: https://www.rankiteo.com/company/williams-&-connolly-llp
"id": "WIL1764626595",
"linkid": "williams-&-connolly-llp",
"type": "Breach",
"date": "8/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': None,
'industry': 'Legal Services',
'location': 'United States '
'(Massachusetts)',
'name': 'Williams & Connolly',
'size': None,
'type': 'Law Firm'}],
'customer_advisories': ['Data breach notification letters with '
'details of impacted PII and credit '
'monitoring services'],
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Potential (unauthorized '
'access confirmed)',
'file_types_exposed': ['Email account data'],
'number_of_records_exposed': None,
'personally_identifiable_information': ['Name',
'Social '
'Security '
'number'],
'sensitivity_of_data': 'High (includes Social '
'Security numbers)',
'type_of_data_compromised': ['Personally '
'Identifiable '
'Information '
'(PII)']},
'date_detected': '2025-08',
'description': 'Williams & Connolly reported a data breach to '
'the Attorney General of the Commonwealth of '
'Massachusetts, where unauthorized access to '
'certain systems on its network was discovered in '
'late August 2025. The breach potentially '
'compromised sensitive personal identifiable '
'information (PII) in employee email accounts, '
'including names and Social Security numbers. The '
'firm is offering 24 months of complimentary '
'credit monitoring services to affected '
'individuals.',
'impact': {'brand_reputation_impact': 'Potential negative impact '
'due to exposure of '
'sensitive PII',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['Name', 'Social Security number'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High (PII including SSNs '
'exposed)',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['Employee email accounts']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': ['Employee email '
'accounts'],
'reconnaissance_period': None},
'investigation_status': 'Ongoing (review of impacted data and '
'identification of affected individuals '
'in progress)',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'Attorney General of the Commonwealth '
'of Massachusetts - Breach Notice',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': ['Notification '
'to the '
'Attorney '
'General '
'of the '
'Commonwealth '
'of '
'Massachusetts']},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['Data breach '
'notification letters '
'mailed to impacted '
'individuals',
'Filing with the '
'Attorney General of the '
'Commonwealth of '
'Massachusetts'],
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': True,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': ['24 months of complimentary '
'credit monitoring services '
'for affected individuals'],
'remediation_measures': ['Review of impacted data',
'Identification of '
'affected individuals'],
'third_party_assistance': None},
'threat_actor': 'Unauthorized third party',
'title': 'Williams & Connolly Data Breach (2025)',
'type': 'Data Breach'}