Orrick Data Breach Scope Expands, Exposing Information of Over 638,000 Individuals

Orrick, Herrington & Sutcliffe, a prominent law firm specializing in cybergovernance and response, has revealed a significant expansion in the scope of its data breach, impacting over four times the initially reported number of individuals.

This disclosure, made through an updated filing with the Maine Attorney General’s office, raises concerning questions about data security practices within the legal industry.

Breach Details and Escalating Scope

Originally, Orrick reported a two-week data breach incident in March 2023 impacting approximately 153,000 individuals. The breach involved unauthorized access to a file-sharing service containing client and other sensitive information. 

However, a recent filing reveals that the attacker accessed and stole data from Orrick’s system for a longer period, from February 28th to March 13th. An analysis of unstructured data within the compromised files, concluded in October, significantly increased the estimated number of impacted individuals to a staggering 638,000.

Types of Information Exposed

The precise information exposed in the breach remains unclear, but Orrick’s initial disclosure acknowledged compromised records could include:

  • Personal information: Names, addresses, phone numbers, and email addresses.
  • Sensitive data: Government-issued identification numbers (Social Security numbers, passport numbers, driver’s license numbers), tax identification numbers, and health data.
  • Client information: Information related to legal matters Orrick handled on behalf of clients.

The full extent of the exposed data and potential harm to affected individuals is still under investigation.

Unanswered Questions and Industry Implications

Orrick’s failure to respond to requests for comment further intensifies concerns about its transparency and handling of the breach. 

The incident, impacting a law firm specializing in cybersecurity, exposes a potential vulnerability within the legal industry itself. It raises critical questions about:

  • Data security practices: Were adequate safeguards in place to prevent unauthorized access to sensitive information?
  • Incident response: Was the breach detected and contained promptly? Were affected individuals notified promptly and effectively?
  • Transparency and accountability: Why did the number of impacted individuals increase significantly between disclosures?

Moving Forward:

Orrick needs to provide clear and comprehensive information about the data breach, the exposed information, and the steps taken to mitigate the risks for affected individuals. 

Additionally, thorough investigations and independent reviews are crucial to assess the firm’s data security practices and identify potential vulnerabilities. 

This incident serves as a stark reminder of the importance of robust data security measures and responsible handling of sensitive information, especially within the legal industry.

Keep in touch with our blog to read the latest news and innovations in the cybersecurity world. 

orrick data breach

Facebook: Eagle Tech Corp

Instagram: @eagletech_corp

X: @eagletechcorp

LinkedIn: Eagle Tech

YouTube: Eagle Tech Corp

Cybersecurity and IT Managed Services