Law firm Jones Day disclosed that hackers stole confidential client data after breaching a third-party vendor file-sharing platform. AmLaw ranks the firm as the tenth-largest provider of legal services in the United States, with annual gross revenue of over $2 billion.
Jones Day clients include half of the Fortune 500 firms, such as Google, JPMorgan Chase, Wal-Mart, Procter and Gamble, and McDonalds. It also represented the Donald Trump campaign.
The Cleveland, Ohio-based law firm is the second major legal services provider affected by the third-party data breach. The ransomware group responsible for the breach said it exfiltrated the data directly from the law firm’s server, but Jones Day denies the claims.
Accellion data breach exposes Jones Day and Goodwin Procter confidential client data
Jones Day claims that the data leak originated from a third-party data breach, specifically, Accellion, which provides file transfer services for several firms in the legal industry. On Feb 2, 2021, Goodwin Procter also disclosed a data breach associated with the Accellion file transfer platform.
“Jones Day has been informed that Accellion’s FTA file transfer platform, which is a platform that Jones Day—like many law firms, companies, and organizations—used was recently compromised and information taken,” Jones day spokesman David Petrou told Bloomberg Law. “Jones Day continues to investigate the breach and has been, and will continue to be, in discussion with affected clients and appropriate authorities.”
Accellion breach was also associated with the exposure of personal data belonging to more than one million New Yorkers seeking unemployment benefits.
Similarly, the University of Colorado reported being affected by the third-party data breach, while a California tech firm is facing a lawsuit in connection with the Accellion data breach.
Other victims include the Singaporean telecoms giant Singtel, Office of Washington State Auditor, the Australian Securities and Investments Commission, and the Reserve Bank of New Zealand.
Accellion acknowledges a sophisticated cyber attack
On Feb 1, Accellion released a statement acknowledging a “sophisticated cyberattack” on its two-decade-old File Transfer Appliance.
The company said it sought the services of a “leading cybersecurity forensics firm” to conduct a full assessment of the FTA data security incident. Jones Day promised to release comprehensive details of the third-party data breach after concluding its investigation.
Clop ransomware group published Jones Day confidential client data on the dark web
Clop ransomware, the threat actor claiming responsibility for the alleged Jones Day third-party data breach published the law firm’s data on the dark web as proof.
Although the law firm was associated with Donald Trump, experts believe that the ransomware attack was not related to politics. The ransomware operators also told the databreaches.net that it did not encrypt Jones Day’s files in the process.
The threat actor posted several archives containing gigabytes of client data. The first release contains emails, while the second archive contains confidential files pilfered allegedly from the company’s servers. According to WSJ, the ransomware operators claim to have over 100 gigabytes of data from Jones Day.
Clop ransomware denies Jones Day exposure originated from a third-party data breach
An alleged Clop ransomware threat actor told the Wall Street Journal that Jones Day was notified of the data breach on Feb 3, but failed to respond to ransom demands.
Clop also claimed it pilfered the data directly from Jones Day servers, but the law firm insisted that the data leak emanated from a third-party data breach.
Wall Street Journal reported that the leaked Jones Day data contained “Accellion configuration files and logs with references to Jones Day email and web addresses.”
“Like the Solarwinds supply chain attack, the cybercriminals are focusing their attacks on those third parties and service providers that support many customers,” says James McQuiggan, security awareness advocate at KnowBe4. “These organizations will want to review and elevate their security programs to ensure they do not suffer a breach, leading to a similar compromise. These attacks damage the organization’s customers and clients, and damage the reputation and possible bottom line for that organization.”
McQuiggan added that third-party providers should encrypt files before transferring them to protect their clients.
“It is highly likely that a third party or a vendor is the root cause of the alleged data breach,” says Ilia Kolochenko, CEO at ImmuniWeb. “Cybercriminals usually start their “shopping” by probing unprotected third parties that have access to valuable data of the victim. Currently disclosed details about the stolen data indicate that the incident has a narrow impact and only a limited number of customers and cases are affected by it. Also, even if some documents are marked as confidential or privileged, it does not necessarily mean that they still have, or ever had this protectable status.”
“Modern business is based on an ecosystem of technology providers that form a digital supply chain. Compromising a business is then a matter of identifying the weakest link and accessing the data that it has on the business and its clients. While it is traumatic for any business leader to find themselves in the press for a data breach, the incident represents an opportunity.”
The cybercriminal gang could lie to avoid exposing their source of the data, while the law firm would also attempt to shift blame to save face regarding such an embarrassing exposure. However, Jones day claims appear credible given the presence of Accellion’s logs in the exposed data.