Fragomen, Del Rey, Bernsen & Loewy LLP, a law firm that offers employment verification compliance services to Google in the United States, suffered unauthorised access into its computer systems in September that resulted in hackers accessing the personal information of present and former Google employees.
Even though the law firm did not disclose how many present and former Google employees were affected by the security incident, it said in a notice with the California attorney general’s office that hackers gained access to a single file containing personal information relating to I-9 employment verification services.
"We promptly commenced an investigation upon learning of this activity and engaged a digital forensic investigation firm to assist with this investigation. While we have no evidence at this point in time that your information has been viewed, we wanted to notify you of this incident and assure you that we take it very seriously. We have taken steps in response to this incident, including implementing enhancements to our IT Security infrastructure and detection capabilities," the firm said.
According to Ilia Kolochenko, Founder & CEO of ImmuniWeb, the fact that hackers targeted a law firm that stores a large amount of data associated with present and former Google employees is not surprising as law firms possess a great wealth of the most confidential and sensitive data of their wealthy or politically-exposed clients, and habitually cannot afford the same state-of-the-art level of cybersecurity as the original data owners.
"Frequently, large law firms become cybercrime victims because of breached suppliers that have privileged access to their networks – not that infrequent without any control or monitoring of such access. Ransomware attacks, crushing IT operations of the large law firms, is just the tip of a formidable hacking iceberg.
"The most sophisticated attackers virtually never leave any noticeable trace and do their best to conceal the very fact of intrusion. We should consider developing a national security standard, imposing strict data protection rules on law firms of a certain size. Otherwise, most of the enacted cybersecurity regulations, covering large clients of law firms, eventually become futile and ineffective," he added.
In May this year, a hacker group used the feared REvil ransomware to infiltrate the network of media and entertainment law firm Grubman Shire Meiselas & Sacks and steal up to 756GB of data including contracts, nondisclosure agreements, phone numbers, email addresses, music rights, and personal correspondence of a large number of well-known American celebrities.
Grubman Shire Meiselas & Sacks counts well-known celebrities across genres like media and entertainment, sport, television, and the corporate world as its clients. The hackers behind the cyber attack said the data in their possession included classified information belonging to celebrities like Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, and Run DMC.