Well-known U.S. law firm Campbell Conroy & O’Neil, which represents a number of Fortune 500 clients, has admitted to suffering a ransomware attack in February that compromised the sensitive personal information of its clients.
Providing services to an array of Fortune 500 companies, Campbell Conroy & O’Neil has many big-name clients, including Ford, Boeing, Exxon Mobil, Quest Diagnostics, Liberty Mutual, Johnson & Johnson, Walgreens, Monsanto, FedEx and Coca-Cola. The firm said that in February, it noticed suspicious activity on its network. After investigating the matter, the firm was able to determine that it was hit by a ransomware attack that blocked access to certain files on the affected system.
Campbell Conroy & O’Neil immediately launched a deeper investigation, with the aid of third-party forensic investigators, to identify the full nature and scope of the attack and also alerted the FBI about the incident.
Though the firm could not verify whether the intruder accessed or viewed any specific information relating to individuals, it said that the targeted system stored confidential information, including the names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e. usernames and passwords).
“That the information varies by individual and for many individuals, a limited number of data types were determined to be accessible,” it added. As a precaution, Campbell is providing twenty-four months of complimentary access to credit monitoring, fraud consultation, and identity theft restoration services to individuals whose Social Security numbers or the equivalent were accessed in this event.
“Campbell is committed to, and takes very seriously, its responsibility to protect all data entrusted to us. As part of our ongoing commitment to the privacy of personal information in our care, we are reviewing our existing policies and procedures, and are working to implement additional safeguards to further secure our information systems,” the firm said.
Commenting on the ransomware attack targeting Campbell Conroy & O’Neil, Neil Jones, the Cybersecurity Evangelist at Egnyte, told TEISS that “the breach is reminiscent of the Mossack Fonseca breach that occurred in 2016, resulting in the infamous ‘Panama Papers’ scandal that revealed a wide range of private information about Mossack Fonseca’s high-profile legal clients.
“In addition to the traditional data security best practices that I always recommend, such as protecting your company’s highly-sensitive files and restricting access to files based on ‘business need to know,’ this is a classic example of the need to inquire about the data security policies for the third parties that handle your organisation’s privileged corporate data.
“Otherwise, your customers or employees could be negatively impacted and your brand reputation can be tarnished. Furthermore, an initial breach or ransomware attack can reveal third-party providers’ IT vulnerabilities that can be capitalised on by attackers at a later date,” he added.
This isn’t the first time that a well-known law firm has been targeted by ransomware groups. In May of last year, the REvil ransomware gang infiltrated the network of media and entertainment law firm Grubman Shire Meiselas & Sacks and stole the personal data and contractual information belonging to celebrities like Elton John, Madonna, Nicki Minaj, Bruce Springsteen, Mariah Carey, and Jessica Simpson.
The massive breach involved the hacker group using the REvil ransomware to infiltrate the law firm’s network and stealing up to 756GB of data, including contracts, nondisclosure agreements, phone numbers, email addresses, music rights, and personal correspondence of a large number of well-known American celebrities.