Orrick, Herrington & Sutcliffe agrees to $8 million settlement

In a recent development, global law firm Orrick, Herrington & Sutcliffe LLP has agreed to pay $8 million to settle consolidated class action claims related to a data breach that affected approximately 461,100 individuals. 

What happened 

The attack, conducted by a ransomware organization, occurred on March 13, 2023, when the hackers infiltrated and accessed Orrick's inadequately protected computer systems. The attack on Orrick involved a tactic known as double extortion, where the hackers first exfiltrated data and then encrypted several systems within the company. The breach resulted in the theft of hundreds of thousands of sensitive personal information. 

Going deeper

A lawsuit was filed against Orrick, Herrington & Sutcliffe in the U.S. District Court for the Northern District of California shortly after the announcement about the breach. The lawsuit made several allegations, including the failure to secure its systems, the failure to prevent and stop the breach, the failure to detect the breach in a timely manner, and the failure to disclose material facts that adequate system security measures were in place to prevent data breaches. 

The attack on Orrick is part of a wave of cyberattacks targeting law firms, with other prominent firms like Proskauer Rose, Kirkland & Ellis, K&L Gates, and Loeb & Loeb also falling victim to similar attacks. The details of how the attackers infiltrated Orrick's systems and whether the breach is part of a larger attack remain undisclosed.

What was said

The consolidated complaint revealed that as a result of the breach, plaintiffs claimed damages such as identity theft, attempted identity theft, misuse of their PII, and an influx of spam telephone calls from unknown sources.

Furthermore, the complaint asserted that Orrick's failure to safeguard the breach victims' personal information facilitated cybercriminals in acquiring all necessary data for various forms of identity theft.

Why it matters

This settlement sheds light on the urgent need for strong cybersecurity across all industries, revealing the pervasive threat posed by cybercriminals exploiting system vulnerabilities. It places emphasis on proactive measures to prevent breaches, preserve reputation, and maintain trust with clients. Additionally, it stresses compliance with data protection laws, signaling the broader significance of safeguarding sensitive information.