Cyber attack on New York law firm impacted close to 3.5 million individuals

New York-based law firm Wolf Haldenstein Adler Freeman & Herz said it experienced a significant cyber security incident that compromised the sensitive personal information of almost 3.5 million individuals.

 

In a cyber security incident notice posted on its website, the law firm said that on December 13, 2023, it detected suspicious activity in its internal network. The firm immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“As a result of the investigation, Wolf Haldenstein learned that an unauthorised actor accessed certain files and data stored within its network,” read the notice.

 

The compromised data included names, Social Security numbers, employee identification numbers, medical diagnosis, and medical claim information. In a filing with the Office of the Maine Attorney General, Wolf Haldenstein said that it identified at least 3,445,537 individuals who were impacted by the incident.

 

“As part of its ongoing commitment to the security of information, Wolf Haldenstein reviewed and enhanced its existing policies and procedures related to data privacy to reduce the likelihood of a similar future event,” the firm added.

 

While Wolf Haldenstein found no evidence of the compromise data being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general. 

 

The law firm has also offered complimentary identity protection and credit monitoring services to all affected individuals.

 

In December 2023, the Black Basta ransomware group claimed responsibility for hacking into the internal network of Wolf Haldenstein and listed it as a victim on its data leak site.

 

 

The group gave the company a deadline of 7 days to meet its ransom demands, after which it threatened to leak the stolen data. It is unclear whether the law firm engaged with the hacker group or paid a ransom to regain access to the stolen data.