Pillsbury faces class actions after cyberattack exposed sensitive personal data

Pillsbury Winthrop Shaw Pittman, a major U.S. law firm with offices across Los Angeles, Washington, New York, and other cities, faced two proposed federal class actions alleging that a cyberattack in April compromised sensitive personal data belonging to thousands of individuals.

The lawsuits, filed in the Southern District of New York by two Texas residents, stated that the breach exposed names, Social Security numbers, addresses, dates of birth, and financial account information. The complaints asserted that the firm failed to adequately protect the data and did not notify affected individuals in a timely manner, leaving them at heightened risk of identity theft and financial fraud.

Pillsbury disclosed the intrusion on November 6. The firm, which employs roughly 700 lawyers, had not issued public comment beyond its previously posted breach notice. The plaintiffs did not specify why the firm stored their data but said Pillsbury had solicited and collected it.

A public notice issued by the firm stated that the incident stemmed from sophisticated social engineering. An unauthorized actor allegedly persuaded one user to grant access long enough to download firm documents. Pillsbury said it blocked the activity once detected and implemented additional security measures, emphasizing its commitment to protecting its systems and information.

The proposed class actions sought nationwide certification and damages exceeding $5 million. The lawsuits emerged amid heightened scrutiny of cybersecurity practices at large law firms, which routinely handle sensitive information involving clients, employees, and litigation opponents. In October, Williams & Connolly reported that hackers had accessed parts of its network but said it found no evidence that confidential client material had been taken from core databases. Last year, Orrick agreed to pay $8 million to resolve claims tied to a breach affecting more than 600,000 people. Orrick represented Pillsbury in matters related to the firm’s April incident.