Wiley Rein: Law firm Wiley Rein hit with class action over data breach tied to Chinese hackers

Wiley Rein: Law firm Wiley Rein hit with class action over data breach tied to Chinese hackers

U.S. Law Firm Wiley Rein Hit by Alleged Chinese-Linked Cyberattack, Faces Class-Action Lawsuit

A proposed class-action lawsuit has been filed against prominent U.S. law firm Wiley Rein, alleging the firm failed to protect sensitive personal data stolen in a cyberattack believed to be carried out by hackers affiliated with the Chinese government. The complaint, filed on May 24, 2026, in the U.S. District Court for the District of Columbia, seeks damages for potentially thousands of affected individuals.

According to the lawsuit, cybercriminals accessed Microsoft 365 email accounts belonging to Wiley Rein personnel between July 2024 and June 2025, though the breach was not detected until 2025. The stolen data allegedly includes names, addresses, dates of birth, financial account numbers, medical information, and Social Security numbers. Victims were not notified until March 6, 2026, nearly a year after the intrusion was discovered.

Wiley Rein acknowledged in an internal investigation that the attack was likely conducted by a group with ties to the Chinese government. The firm has since offered affected individuals 12 months of complimentary credit monitoring and claimed to have strengthened its security measures. However, the lawsuit argues that the breach resulted from inadequate cybersecurity safeguards, including the lack of multi-factor authentication (MFA) and insufficient staff training, with the initial intrusion traced to a phishing email.

The named plaintiff, Derrick Burkett, a Florida resident, alleges he had no direct relationship with Wiley Rein but believes his data was obtained through the firm’s representation of a client. Burkett claims the breach led to 19 fraudulent charges on a MetLife estate account.

Wiley Rein, which employs 260 attorneys and specializes in regulatory legal services, particularly for the telecommunications industry, has not yet responded to requests for comment. The case (Derrick Burkett v. Wiley Rein, No. 26-cv-1791) highlights the growing threat of state-linked cyberattacks targeting law firms, which hold vast amounts of sensitive client data. The lawsuit argues that the firm’s failure to secure third-party data collected without explicit consent sets this breach apart from typical incidents.

Source: https://www.reuters.com/legal/government/law-firm-wiley-rein-hit-with-class-action-over-data-breach-tied-chinese-hackers-2026-05-26/

Wiley Rein LLP cybersecurity rating report: https://www.rankiteo.com/company/wiley-rein-llp

"id": "WIL1779812774",
"linkid": "wiley-rein-llp",
"type": "Breach",
"date": "7/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Potentially thousands',
                        'industry': 'Legal Services (Telecommunications '
                                    'Regulatory)',
                        'location': 'United States',
                        'name': 'Wiley Rein',
                        'size': '260 attorneys',
                        'type': 'Law Firm'}],
 'attack_vector': 'Phishing Email',
 'customer_advisories': '12 months of complimentary credit monitoring offered '
                        'to affected individuals',
 'data_breach': {'data_exfiltration': 'Yes',
                 'personally_identifiable_information': 'Names, addresses, '
                                                        'dates of birth, '
                                                        'Social Security '
                                                        'numbers',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)',
                                              'Financial Data',
                                              'Medical Information']},
 'date_detected': '2025',
 'date_publicly_disclosed': '2026-03-06',
 'description': 'A proposed class-action lawsuit has been filed against '
                'prominent U.S. law firm Wiley Rein, alleging the firm failed '
                'to protect sensitive personal data stolen in a cyberattack '
                'believed to be carried out by hackers affiliated with the '
                'Chinese government. The breach involved unauthorized access '
                'to Microsoft 365 email accounts, leading to the exposure of '
                'personally identifiable information and financial data.',
 'impact': {'brand_reputation_impact': 'Significant',
            'customer_complaints': 'Class-action lawsuit filed',
            'data_compromised': 'Names, addresses, dates of birth, financial '
                                'account numbers, medical information, Social '
                                'Security numbers',
            'identity_theft_risk': 'High (19 fraudulent charges reported)',
            'legal_liabilities': 'Class-action lawsuit (Derrick Burkett v. '
                                 'Wiley Rein, No. 26-cv-1791)',
            'operational_impact': 'Inadequate cybersecurity safeguards, '
                                  'delayed breach notification',
            'payment_information_risk': 'High',
            'systems_affected': 'Microsoft 365 email accounts'},
 'initial_access_broker': {'entry_point': 'Phishing email'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Inadequate cybersecurity safeguards (e.g., lack of MFA, '
                    'insufficient staff training) contributed to the breach. '
                    'Delayed notification exacerbated risks for affected '
                    'individuals.',
 'motivation': 'Espionage, Data Theft',
 'post_incident_analysis': {'corrective_actions': 'Strengthened security '
                                                  'measures, offered credit '
                                                  'monitoring',
                            'root_causes': 'Lack of MFA, insufficient staff '
                                           'training, delayed breach '
                                           'detection'},
 'recommendations': ['Implement Multi-Factor Authentication (MFA) for all '
                     'accounts',
                     'Enhance staff training on phishing and cybersecurity '
                     'best practices',
                     'Improve breach detection and response times',
                     'Ensure timely notification of affected individuals in '
                     'compliance with regulations'],
 'references': [{'date_accessed': '2026-05-24',
                 'source': 'Class-action lawsuit filing'}],
 'regulatory_compliance': {'legal_actions': 'Class-action lawsuit (Derrick '
                                            'Burkett v. Wiley Rein, No. '
                                            '26-cv-1791)'},
 'response': {'communication_strategy': 'Delayed notification (March 6, 2026)',
              'containment_measures': 'Strengthened security measures',
              'remediation_measures': 'Offered 12 months of complimentary '
                                      'credit monitoring'},
 'threat_actor': 'Chinese government-affiliated hackers',
 'title': 'U.S. Law Firm Wiley Rein Hit by Alleged Chinese-Linked Cyberattack, '
          'Faces Class-Action Lawsuit',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Lack of Multi-Factor Authentication (MFA)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.