In the ever-evolving landscape of cybersecurity, where threats are omnipresent, even the guardians of legal matters find themselves susceptible to the perilous domain of cyberattacks. This unfortunate reality unfolded recently as Orrick, Herrington & Sutcliffe, a distinguished international law firm specializing in assisting companies affected by security incidents, became the focal point of a substantial data breach.
The breach, revealed last week, laid bare the vulnerabilities of even the most ostensibly secure entities. Orrick, headquartered in San Francisco, disclosed that hackers successfully penetrated its network in March 2023, exfiltrating personal information and sensitive health data belonging to more than 637,000 data breach victims. This revelation marks a stark irony as the firm, entrusted with safeguarding companies in the aftermath of security incidents, found itself grappling with its own cybersecurity crisis.
Orrick’s modus operandi involves aiding companies in adhering to regulatory requirements post-security incidents, particularly data breaches. However, the tables turned when the firm became a victim of a sophisticated cyber intrusion. The stolen information ranged from names, dates of birth, addresses, and email addresses to more critical data such as government-issued identification numbers, medical treatment and diagnosis details, insurance claims information, and even online account credentials and financial information.
Furthermore, Orrick’s breach extended beyond its own operations, affecting clients who had vision plans with EyeMed Vision Care, dental plans with Delta Dental, and other entities like health insurance company MultiPlan, behavioral health giant Beacon Health Options (now known as Carelon), and the U.S. Small Business Administration. The scale of the breach, originally disclosed to impact a certain number, has since tripled, amplifying the complexity of the situation and raising concerns about the extent of the compromised data.
The specifics surrounding the hackers’ entry point into Orrick’s network remain elusive, and the question of whether the attackers made any financial ransom demands adds an air of uncertainty to an already challenging scenario. Orrick, when approached for comment, chose not to disclose details about the incident but expressed regret for the inconvenience caused, emphasizing its dedication to resolving the matter promptly for clients, impacted individuals, and its team.
In response to the breach, Orrick has been involved in ongoing settlement discussions concerning four class-action lawsuits. These lawsuits accused the firm of failing to inform victims of the breach until months after the incident. The recent statement from Orrick indicates that a settlement agreement in principle has been reached, providing some closure to the affected parties and allowing the firm to redirect its focus towards fortifying its systems and ensuring the continued protection of client information.
The incident involving Orrick, Herrington & Sutcliffe serves as a stark reminder that no organization, regardless of its expertise or prominence, is impervious to the evolving and sophisticated nature of cyber threats. It underscores the importance of continuous vigilance, proactive cybersecurity measures, and an unwavering commitment to safeguarding sensitive information in an era where digital breaches pose a constant threat to businesses and individuals alike.