Orrick, Herrington & Sutcliffe breach total jumps to over 600K impacted


International data protection law firm Orrick, Herrington & Sutcliffe reveals tens of thousands of additional victims were impacted in its spring 2023 breach, as well as new details regarding the types of data compromised.

The San Francisco-headquartered firm – known for providing cybersecurity data management, risk compliance plans, and incident response to its own corporate clients – also disclosed two newly identified affected entities: Beacon Health Options (now Carelon Behavioral Health) in Boston and the US Small Business Administration government agency.

Other entities caught up in the February 28th, 2023 breach (previously revealed) include the Charles Schwab financial services company and Texas-based software company Fujitsu North America.

ADVERTISEMENT

Orrick, Herrington & Sutcliffe filed its third disclosure notice – exactly ten months later increasing the number of compromised individuals by more than 176,000 victims.

The latest and apparent final tally of 637,620 victims was reported to the Maine Attorney General’s office on December 28th.

Orrick, Herrington & Sutcliffe Dec 28 breach notice
Orrick, Herrington & Sutcliffe filed its third breach notice, increasing its victim count to more than 637K impacted individuals on December 28th, 2023. Image by Cybernews.

The original breach notice filed in 2023 on July 20th lists 152,818 impacted victims. The second notice filed weeks later on August 18th, increased that number to 461,100.

“Some may see this as an ironic incident, but, in reality, it only highlights that no organization is immune to a cyber attack,” said Richard Harragan, Senior Security Consultant at i-confidential.

Harragan points out that “as a key law firm in the world of cyber defense, it’s likely that Orrick, Herrington & Sutcliffe would have employed robust security measures to keep attackers away from their sensitive data.”

“Once again, however, criminals found a loophole they were able to exploit, the likes of which is causing massive damage to organizations and consumers all across the world,” Harragan said.

Orrick had previously revealed that an “unauthorized third party,” which the company discovered “roaming" inside the firm’s networks for two weeks on March 13th, 2023, was able to gain access to a remote “portion of its network.”

ADVERTISEMENT

That access “including a file share that Orrick used to store certain client files,” the December supplemental notice stated.

Orrick, Herrington & Sutcliffe Maine AG site Dec 28

The company, facing serious backlash for waiting months after the hack to disclose the cyber incident to affected clients and their customers, tentatively settled four consolidated lawsuits filed against the firm on behalf of the impacted victims, which was also mentioned in the December notice.

Among the charges filed against Orrick; negligence, breach of fiduciary duties, breach of confidence, and breach of implied contract.

The December disclosure also reveals the exact data that was compromised in the breach, which includes a vast array of personally identifiable information (PII) varying by individual:

  • name, address, email address, date of birth,
  • Social Security number, driver’s license or other government-issued id number,
  • passport number and/or tax identification number,
  • financial account information, credit or debit card number,
  • Healthcare account information (online account credentials, id number, healthcare provider, medical record number, prescriber name, healthcare provider license number),
  • medical treatment and/or diagnosis information,
  • health insurance and claims information (date, cost of services, and claims identifiers).

“As criminals become more determined to break into enterprise networks, we must increase our determination to keep them out. Security is no longer optional; it is critical to the survival of any business,” Harragan said.

Orrick, who has been tight-lipped about the hack so far, provided an explanation of the delay in the notice.

Orrick stated once affected clients were identified, it worked with those clients to further identify the client’s customers, notifying those customers of the data breach in early June.

Another analysis of “unstructured data, such as emails and attachments to emails, was completed in mid- October and the impacted health plans have been notified,” Orrick said.

ADVERTISEMENT

“As a large international law firm, we occasionally receive information from our clients and other third parties, including personal information, which we possess in connection with the services we provide.” - Orrick, Herrington & Sutcliffe.

Excerpt from breach disclosure notice filed with the Office of the Maine Attorney General on August 18, 2023.

The firm said it does not anticipate providing notifications on behalf of additional businesses, and are providing two years of Kroll identity monitoring services to all impacted.

Although Orrick did not disclose how the attackers infiltrated its systems, Harragan says to improve cyber defenses, organizations must focus on improving their cyber hygiene.

“Systems should be up to date, backups stored on-premise and in the cloud, employees regularly trained in security awareness, such as how to recognize phishing emails, all systems and devices inventoried and secured, and recovery from different events documented and practiced on a regular basis,” Harragan said.

Orrick, Herrington & Sutcliffe employs over 1,000 attorneys throughout more than 20 offices globally. The law firm's 2022 revenue is listed as nearly $1.4 billion, making it the 40th highest-grossing law firm in the world.