Cyberattackers leaked data of 27,000 NYC Bar Association members

The New York City Bar Association confirmed that the data of more than 27,000 members and employees was leaked during a cyberattack nearly a year ago.

In filings with regulators in Maine and Vermont, the organization said an investigation completed on October 18 confirmed that hackers broke into its systems and had access to internal files from December 2 to December 24, 2022.

Founded in 1870, the organization is a voluntary association of lawyers and law students with more than 23,000 current members.

InJanuary, the Clop ransomware gang claimed to have attacked the organization, threatening to leak 1.8 terabytes of stolen information. Despite acknowledging receipt of emails from Recorded Future News in January, the association never responded to requests for comment or addressed the issue publicly.

CL0P #ransomware group added New York City Bar Association (https://t.co/DZmtQ3kW6c), a voluntary association of lawyers and law students, to their victim list. They claim to have access to more than 1.8 TB of data.#USA #DarkWeb #deepweb #databreach #CyberRisk pic.twitter.com/p0BDZUrC1t

— FalconFeeds.io (@FalconFeedsio) January 14, 2023

The organization again did not respond to requests for comment this week about whether it was a ransomware attack that caused the data leak, but said its IT team took “networks offline to contain the threat.” They also did not address why it took them nearly a year to notify their members.

The organization redacted parts of the letters it is planning to send to victims, only confirming that names were accessed by the hackers. Filings in in Maine, however, say financial account numbers, as well as credit or debit card numbers, were leaked alongside security codes or PINs.

“Upon experiencing the incident, NYC Bar’s internal IT specialists took our networks offline to contain the threat and immediately commenced a prompt and thorough investigation. As part of our investigation, NYC Bar has been working very closely with external cybersecurity professionals experienced in handling these types of incidents,” they said.

“After an extensive forensic investigation and manual document review, NYC Bar discovered on October 18, 2023 that between December 2, 2022 and December 24, 2022, certain impacted files may have been removed from the NYC Bar by an unauthorized individual.”

The organization is providing victims with 12 months of free credit monitoring and identity theft protection services, which include a $1,000,000 insurance reimbursement policy.

Due to the large number of industry-specific members, bar associations have been a frequent target for hackers.

The German Federal Bar (BRAK) Association was attacked by the NoEscape ransomware group in August and confirmed that its systems were infiltrated by hackers in May 2022.

In its posting about the New York City Bar Association, the Clop ransomware gang alleged that it encrypted the organization’s systems — a relative rarity for the group, which has a penchant for data theft.

The group drew headlines this year for its repeated attacks on file transfer products, stealing troves of data from thousands of organizations across the world in two separate campaigns.