Law Firm to the Fortune 500 Breached with Ransomware

Deep-pocketed clients’ customers & suppliers could be in the attacker’s net, with potential PII exposure from an A-list clientele such as Apple, Boeing and IBM.

Campbell Conroy & O’Neil, P.C. – U.S. law firm to a dazzling array of huge companies – told its star-studded clientele that an intruder may have groped their data. It was hit with ransomware in February and is now suffering the data-breach fallout.

That client list spans a slew of industries and includes the likes of Apple, Boeing, British Airways, Chrysler, Exxon Mobil, Fisher-Price, Ford, Honda, IBM, Jaguar, Monsanto, Toyota and US Airways – to name just a few.

On Friday, the firm said in a press release that it realized on Feb. 27 that it got hit by what turned out to be a ransomware attack.

Campbell didn’t mention which ransomware gang claimed responsibility. None of the big ransomware groups had claimed the conquest as of Tuesday morning.

Unfortunately for the firm’s clients, there are a whole lot of ransomware organizations that like to pull double-extortion attacks: First the attackers lock up their victims’ systems, then they threaten to leak the compromised data or use it in future spam attacks if their ransom demands aren’t met. The trend started in late 2019 with Maze operators and was quickly picked up by the crooks behind the Clop, DoppelPaymer and Sodinokibi (aka REvil) ransomware families.

Data breaches resulting from ransomware attacks are rife these days: The fashion label Guess, for one, last week was dealing with a breach after having suffered from a February ransomware attack linked to Colonial Pipeline attackers DarkSide.

It’s going to be tough going for Campbell if it turns out to be REvil, given that the gang’s servers slipped offline last week, leaving victims stuck mid-negotiation without a way to pay a ransom or get decryption keys to unlock their files and restart their businesses. Ditto for DarkSide: Its servers shut down in May.

Campbell’s ensuing investigation hasn’t yet determined if the unauthorized threat actors got at specific information, but the law firm does know that they could have accessed a treasure trove of sensitive personally identifiable information (PII) belonging to ” certain individuals:” Names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social-Security numbers, passport numbers, payment-card information, medical information, health insurance information, biometric data, and/or online account credentials.

“Please note that the information varies by individual and for many individuals, a limited number of data types were determined to be accessible,” according to the statement.

Campbell is offering 24 months of free credit monitoring, fraud consultation and identity-theft restoration services, but only for clients whose Social-Security numbers or the equivalent were affected.

The law firm said in its press release that it enlisted unnamed “third-party forensic investigators” to investigate the attack, as well as having informed the FBI about the breach. A Campbell spokesperson told Threatpost that the firm is “fully operational and does not anticipate any significant impact to ongoing litigation nor to our representation of our valued clients.”

Attackers Could Go After Suppliers, Clients’ Customers

The impact of an attack on a law firm with such a vast array of deep-pocketed clients could be nasty. Experts compared it to an earlier attack on a law firm with similar clout: the 2016 breach of Mossack Fonseca, known as the law firm that helped “the super-rich hide their money.” That breach led to the infamous Panama Papers scandal, in which private information about those super-rich clients was disclosed.

Neil Jones, cybersecurity evangelist at Egnyte, observed to Threatpost on Monday that Campbell’s misery could extend deep into its clients’ innards, with the potential to snare clients’ customers and/or suppliers. “An initial breach or ransomware attack can reveal third-party providers’ IT vulnerabilities that can be capitalized on by attackers at a later date,” Jones pointed out in an email.

Anurag Kahol, CTO and cofounder of Bitglass, noted that law firms are ripe for the plucking. “Law firms are an extremely lucrative target to cybercriminals due to the massive amounts of PII they collect and store, such as Social-Security and driver’s-license numbers, as well as financial and medical information,” he said in an email. “Cybercriminals can leverage this data to commit financial fraud, engage in identity theft, or sell for high profits in Dark Web marketplaces.”

Why Is Ransomware So Successful?

The breach is bad. But dial it back to the initial ransomware attack that led to the data exposure and you’re left wondering, how are these attacks getting through? It’s not as if businesses don’t have protection. One recent survey from storage provider Cloudian found that 49 percent of those who’ve experienced attacks had perimeter defenses in place at the time, but ransomware still penetrated.

Gary Ogasawara, Cloudian CTO, told Threatpost that businesses have to plug the holes with encryption and storage that can’t be tinkered with.

“As ransomware strategies become increasingly sophisticated and often result in data theft and exploitation, businesses must act immediately to shore up their defenses, particularly for sensitive data,” he said via email. “This means organizations should encrypt their data both in flight and at rest, so hackers can’t read or expose the data. In addition, and most importantly, they should have an immutable (unchangeable) back-up copy of their data, which prevents cybercriminals from infecting it with ransomware. This combination of encryption and immutability ensures complete protection in the event of a ransomware attack and eliminates the need to pay ransom.”

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles