Snack giant Mondelēz International has suffered a third-party law firm data breach from its legal services provider, Bryan Cave Leighton Paisner LLP.
The Oreo, Sour Patch Kids, and Belvita maker sent data breach alerts to over 50,000 potential victims, informing them that their personal information was illegally accessed.
With a workforce of over 80,000, the Chicago, Illinois-based Fortune 500 company earned over $32 billion in 2022 and $9.166 billion net in Q1 2023.
Third-party law firm data breach impacted current and former employees
According to the data breach notification letters, Bryan Cave detected an unauthorized intrusion into its network from February 23 to March 1, 2023.
The law firm responded by hiring external cybersecurity experts, notifying law enforcement and its client Mondelēz International on March 24, 2023.
The data breach at the law firm exposed potential victims’ first and surnames, social security numbers, addresses, dates of birth, marital statuses, gender, employee identification numbers, and Mondelēz retirement and/or thrift plan information. However, the cyber intrusion did not leak the victims’ financial information, such as account details or credit card numbers.
Bryan Cave was still investigating the incident to ascertain the nature of the information leaked.
“On May 22, 2023, based upon additional information received from Bryan Cave, Mondelēz determined that it finally had enough information to determine who was impacted and that affected individuals should be notified,” the food company said.
According to the regulatory filing with the Maine Attorney General’s office, the incident impacted 51,110 individuals.
The snack giant also clarified that the data breach did not compromise its internal system or impact its operations. Thus, the company was still “able and focused” on serving its customers, awaiting the resolution of the incident.
“Please know that this incident did not occur on or affect Mondelēz systems or networks in any way,” the food giant insisted.
Additionally, Mondelēz was unaware of any misuse of the stolen information. The company offered complimentary identity theft protection services with Experian for 24 months to protect the victims from online fraud.
The law firm also took additional steps to address the security breach to prevent a recurrence.
Meanwhile, Mondelēz International advised potential victims to review their financial statements and monitor their accounts for suspicious activity. They could also request free credit reports and temporarily freeze their credit files to prevent scammers from taking loans, opening new credit cards, or making fraudulent purchases.
More law firms impacted by cyber-attacks
Bryan Cave is among many law firms recently impacted by cyber-attacks. In April 2023, Proskauer Rose law firm exposed its clients’ sensitive legal and financial information via a third-party cloud misconfiguration, risking hefty SEC fines.
“Third-party breaches, as it is with this case, occur when a trusted business partner or vendor is compromised, leading to unauthorized access or exposure of sensitive data shared between the organization and the third party,” said Erfan Shadabi, a cybersecurity expert at comforte AG. “These breaches can have devastating consequences, as they often expose confidential information, trade secrets, customer data, or employee records.”
In 2021, Jones Day and Goodwin Procter confirmed they were victims of the Accellion data breach that compromised over 100 companies.
Similarly, Covington & Burling leaked the data of 298 publicly traded companies in 2020. The U.S. Securities and Exchange Commission sued the law firm in 2023, demanding the names of the impacted companies.
Describing the incident as a nation-state cyber espionage activity, Covington said the data breach targeted a small group of lawyers linked to specific policy issues of interest to the Chinese government. The security breach was attributed to the government-sponsored Chinese APT Hafnium.
At least 83 law firms signed an amicus brief supporting Covington & Burling in the lawsuit described as part of “intrusive government fishing expeditions.”
Insisting that safeguarding data was a top priority, Shadabi encouraged organizations to vet their partners’ security practices, policies, and past incidents to identify potential vulnerabilities.
“By implementing data-centric security measures, organizations can safeguard their information from unauthorized access, even in the event of a breach involving a third party. Furthermore, organizations need to exercise caution and diligence when selecting business partners and vendors,” recommended Shadabi.
