Experts On Campbell Conroy & O’Neil, P.C. Discloses Data Breach

Campbell Conroy & O’Neil, P.C. (Campbell), a US law firm counseling dozens of Fortune 500 and Global 500 companies, has disclosed a data breach following a February 2021 ransomware attack. Campbell’s client list includes high-profile companies from various industry sectors and some of its current and past clients include Exxon, Apple, Mercedes Benz, Boeing, Home Depot, British Airways, Dow Chemical, Allianz Insurance, Universal Health Services, Marriott International, Johnson & Johnson, Pfizer, Time Warner, and many others.

Subscribe
Notify of
guest
3 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Trevor Morgan
Trevor Morgan , Product Manager
InfoSec Expert
July 19, 2021 2:36 pm

<p>When you think of high-profile data breaches, what probably comes to mind are those incidents that target large consumer-focused industries and companies such as online retail or financial services. Those targets possess valuable personal data about thousands or even millions of data subjects, so a successful attack can yield a treasure trove of information. However, news that Campbell Conroy &amp; O’Neil, P.C., a prominent U.S. legal firm was breached, should be discomfiting. Law firms house massive amounts of information about clients and legal cases—much of that privileged information—and most of that information is highly sensitive and can be used as leverage against the firms themselves (in ransomware attacks) and also to target other victims in a domino effect.</p>
<p>Law firms and legal service providers (such as processors of legal discovery data) should be paying attention to this breach and immediately assessing their defensive posture. If you’re one of these organizations, you should be asking whether your sensitive data resides in a vulnerable clear state behind what you believe is a well-protected perimeter, or whether you apply some form of data-centric security to it. The difference is that perimeter-based security can always be surmounted, because of the dizzying number of attack vectors involved—it just takes desire, patience, and craftiness. Better to protect sensitive information itself, applying a tried-and-true method like tokenization, which replaces sensitive data elements with representational information of a non-sensitive nature. Data-centric security travels with the data, too, so even if it falls into the wrong hands\’ threat actors cannot exploit it.</p>
<p>Remember, it’s the court of public opinion that has the biggest influence, so legal firms can secure a winning case by protecting their reputation through data-centric security measures.</p>

Last edited 11 months ago by Trevor Morgan
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Expert
July 19, 2021 2:37 pm

<p>While cyber criminal gangs are fond of deploying ransomware, their target has been increasingly focussing on stealing data from organisations that they can use to blackmail, sell on, or use to target others with. </p>
<p>Because of this, we\’re seeing more organisations targeted which have traditionally not been on criminals radars. Which is why it\’s important that all organisations of all sizes and across all industry verticals invest in robust cybersecurity controls which encompass the technologies, processes, and people to reduce the likelihood of becoming victims.</p>

Last edited 11 months ago by Javvad Malik
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
InfoSec Expert
July 19, 2021 3:04 pm

<p>The most valuable data at a law firm is certainly not PII as disclosed by the law firm in question. Smart cybercriminals are chasing for sensitive dossiers of wealthy or politically exposed customers, looking for attorney-client privileged information or other sensitive litigation-related data. Modern cyber gangs are well aware of it, moreover, in the Dark Web, there are dedicated channels to buy and sell data from compromised law firms.<u></u><u></u></p>
<p>Worse, in some jurisdictions, stolen data, especially related to serious tax fraud, can be admitted in court proceedings both in civil and criminal cases. If such data was compromised, the criminals will almost certainly try to extort the law firm and its clients in parallel. Payment of a ransom will not, however, eliminate the risk of subsequent data disclosure: we witnessed hundreds of high-profile cases when racketeers leaked or sold stolen data after being paid the full amount they had asked. Victims of the disclosed data breach may have a wide spectrum of legal claims against the breached law firm with damages ranging from a couple of thousands to tens of millions per victim.<u></u><u></u></p>
<p>Currently, law firms enjoy a very modest data protection regulation regime compared to such industries as banks or healthcare institutions, while processing data of the same or even higher sensitivity. We should expect a steady growth of sophisticated attacks against law firms in the near future.</p>

Last edited 11 months ago by Ilia Kolochenko
Information Security Buzz
3
0
Would love your thoughts, please comment.x
()
x