Law Firm Campbell Suffers Data Breach After Ransomware Attack

Campbell Conroy & O’Neil, P.C. (Campbell), a major American law firm whose clientele includes dozens of Fortune 500 and Global 500 companies, announced suffering a data breach in the wake of a February 2021 ransomware attack. 

In its report on the data breach, Bleeping Computer noted that the attackers gained access to  “certain individuals’ names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e. usernames and passwords).” 

Additionally, the perpetrators behind the Campbell data breach remain unknown. Moreover, Campbell could not confirm whether the hackers actually stole the accessed data. Bleeping Computer notes that the information potentially stolen could create a cascade effect of more data breaches in the future. 

We spoke to cybersecurity experts about the lessons from the Campbell data breach and ransomware fallout. Here’s what they had to say. 

Law Firm Campbell Suffers Data Breach After Ransomware Attack

Uriel Maimon

Uriel Maimon is Senior Director of Emerging Technologies at PerimeterX. 

“Data breaches resulting from ransomware attacks are becoming all too common these days, just look at the Guess breach that made headlines only a week ago. Once personal information is stolen, there’s no “putting the genie back in the bottle.” And the damage incurred with stolen identities, whether through ransomware attacks or account takeovers, can last for years as the information can be repurposed multiple times to steal funds or create synthetic identities and apply for new accounts. 

“This attack shows that while ordinary people may think they know who has access to their data, the modern digital economy has a sophisticated supply chain, and multiple organizations can secure access to that data. They can be lawyers, accountants, or consultants or the building blocks of modern web applications where the application itself relies on infrastructure from multiple companies such as cloud infrastructure providers, identity and access management solutions, third-party code libraries, and many others. This underscores the need for constant vigilance and cross-silo solutions as the safety and integrity of data is only as strong as the weakest link.  Knowing which links are even involved, is easier said than done.”

Javvad Malik

Javvad Malik is Security Awareness Advocate at KnowBe4. 

“While cyber-criminal gangs are fond of deploying ransomware, their target has been increasingly focused on stealing data from organizations that they can use to blackmail, sell on, or use to target others with. 

Because of this, we’re seeing more organizations targeted, which have traditionally not been on criminals’ radars. This is why it’s important that organizations of all sizes and across all industry verticals invest in robust cybersecurity controls, which encompass the technologies, processes, and people to reduce the likelihood of becoming victims.” 

Trevor Morgan

Trevor Morgan is Product Manager at comforte AG.

“When you think of high-profile data breaches, what probably comes to mind are those incidents that target large consumer-focused industries and companies such as online retail or financial services. Those targets possess valuable personal data about thousands or even millions of data subjects, so a successful attack can yield a treasure trove of information. However, news that Campbell Conroy & O’Neil, P.C., a prominent U.S. legal firm, should be discomfiting. Law firms house massive amounts of information about clients and legal cases—much of that privileged information—and most of that information is highly sensitive and can be used as leverage against the firms themselves (in ransomware attacks) and also to target other victims in a domino effect.

Law firms and legal service providers (such as processors of legal discovery data) should be paying attention to this breach and immediately assessing their defensive posture. If you’re one of these organizations, you should be asking whether your sensitive data resides in a vulnerable clear state behind what you believe is a well-protected perimeter, or whether you apply some form of data-centric security to it. The difference is that perimeter-based security can always be surmounted because of the dizzying number of attack vectors involved—it just takes desire, patience, and craftiness. Better to protect sensitive information itself, applying a tried-and-true method like tokenization, which replaces sensitive data elements with representational information of a non-sensitive nature. Data-centric security travels with the data, too, so even if it falls into the wrong hands threat actors cannot exploit it.

Remember, it’s the court of public opinion that has the biggest influence, so legal firms can secure a winning case by protecting their reputation through data-centric security measures.”

Thanks to these cybersecurity experts for their time and expertise on the Campbell data breach and ransomware fallout. For more, check out the Endpoint Security Buyer’s Guide.