More than 42,000 affected by ransomware attack on pro bono California law firm

More than 42,000 people had their information exposed during a ransomware attack on a California law firm that provides free services to those in need.

The Law Foundation of Silicon Valley notified regulators in California and Maine this week that the February ransomware attack on their offices resulted in the leak of Social Security numbers and other personal information.

The breach affected both clients and staff members. The law firm said it has about 90 attorneys, social workers, staff, and volunteers while helping about 10,000 people each year.

The firm, which has existed for nearly 50 years, posted a message on its website last week about the incident, confirming that they were the “victim of a sophisticated ransomware attack.”

“While operations were back up and running when offices reopened from the [Presidents Day] holiday weekend, data on one server was later discovered to have been compromised. The Law Foundation immediately engaged cybersecurity specialists who conducted an extensive forensic investigation,” they said.

“The investigation revealed that certain information within the Law Foundation’s system was unlawfully accessed and that the breach compromised the personal information of more than 40,000 clients, staff, and others.”

Information accessed includes: Social Security numbers, medical records, immigration numbers, financial data, driver’s license numbers, financial account/payment card information, passport/government identification, taxpayer-identification numbers, dates of birth and digital signatures.

The investigation into the incident ended on June 1 and the law firm spent another 30 days looking for addresses and contact information for victims, who are now being offered 12 months of identity protection services and identity theft insurance.

The victims involved included both adults and minors.

“We are in the business of helping people with important and sensitive life issues. The breach impacts the core of our nonprofit mission to help low-income individuals and families with serious issues to improve their lives. We have partnered with experienced vendors to notify and assist those who are impacted,” said Alison Brunner, CEO of the Law Foundation.

“We recognize that breaches like this have become all too common and understand that rebuilding trust with clients and others will take time.”

In March, the AlphV/Black Cat ransomware group took credit for the attack, adding the Law Foundation of Silicon Valley to the lengthy list of law firms it has attacked over the last year.

Law firms have been a ripe target for ransomware groups due to the troves of information they collect on clients and the small IT staff sizes employed by most firms.

While many ransomware groups have gone after law firms, AlphV has made a point of the practice, even targeting a legal document platform used by several arms of the U.S. government.

In May, New York’s attorney general levied a $200,000 fine on a law firm representing hospitals whose sensitive files were accessed in a 2021 ransomware attack.