Georgia State Bar says SSNs of members, employees may have leaked in April ransomware attack

The State Bar of Georgia said the personal information, Social Security numbers, driver’s license numbers and direct deposit information of its members may have been accessed during a cyberattack in April.

The State Bar is authorized by the Supreme Court of Georgia to hold ethics investigations into the state’s lawyers and sanction those who violate state rules. The organization also provides guidance and assistance to lawyers in the state as well as a directory of attorneys.

For more than a week, officials with the State Bar of Georgia responded to a cyberattack that crippled the organization’s network, website and email system. 

The State Bar’s website carried only a single page of information for members about the attack for days in April and May.

Several companies were hired to help with the response, including the organization’s cybersecurity insurance broker Greyling, cybersecurity company Athens Micro, law firm Baker Hostetler and others. Kivu was hired to conduct an investigation of the incident. 

In a recently-published breach notification letter, the organization said it completed an investigation of the incident and discovered that there was a leak of information that included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, direct deposit information, and name change information.

The information came from current and former employees as well as some members of the State Bar, which has more than 53,000 members.

The organization did not respond to requests for comment about how many people had their information leaked and the nature of the attack. 

But during its annual meeting in June, the organization released a report on the incident by State Bar of Georgia executive director Damon Elmore.

Elmore said the attack was first noticed on April 28 when the head of their information systems department heard a beeping sound indicating that servers were restarting “despite not having received a restart command.”

As the official began disconnecting devices, screens went black. In total, 17 State Bar servers and 15 workstations were encrypted with the BitLocker ransomware.

“Although this has been officially described as a ransomware attack, no monetary demand has been made and no proof of possession of any personally identifiable information (“PII”) or other data has been provided,” Elmore said. 

“We have been advised that the threat actor behind this is on the specially designated nationals and blocked persons ('SDN') list. That means that even if a monetary demand is made, and proof of personal or sensitive data provided, a ransom payment cannot be made.”

The State Bar of Georgia recently learned of unauthorized access to its network. Upon learning of the unauthorized access, we immediately took steps to secure the network, a cybersecurity firm was engaged and a thorough investigation is being conducted.

— State Bar of Georgia (@StateBarofGA) May 3, 2022

Elmore warned that evidence indicates that there is the “potential for a continued presence” by the hackers in the organization’s network. But the organization did say it was taking steps to build an entirely new network environment as a way to address this issue. 

The incident response company Kivu kept in contact with the hackers for “intelligence and/or stalling purposes” as the organization rebuilt its systems. Elmore claimed that through communicating with the hacker, Kivu believes the group “cannot identify which of its victims it is dealing with.” 

Kivu and law firm Baker Hostetler said they could not gather intelligence “without providing the threat actor with the identity of the State Bar as the victim.” At the time, Elmore said “Once sufficient decryption and access are achieved, Kivu will be instructed to terminate communications with the threat actor.”

Emsisoft threat analyst and ransomware expert Brett Callow said BitLocker is not particularly common but a number of threat actors have used it in the past. 

“It's problematic for multiple reasons, which is why it's not more commonly used,” he said.

“It's slow, decryption at scale is impossible, the encryption key for all systems is revealed if one system fails to encrypt or reboot, etc.”

The State Bar is offering people who had their information leaked free credit monitoring and identity protection services through Transunion, but did not respond to requests for clarification about how long the services would be offered.

Correction (10/14): A previous version of this story stated that the State Bar of Georgia disclosed that certain information had leaked. The State Bar told The Record that they could not rule out with complete certainty whether or not information had been accessed.