Orrick, Herrington & Sutcliffe (Orrick) is notifying over half a million of its clients of a security incident that has resulted in the exposure of their data.
Orrick is a California-based international law firm operating 25 offices worldwide. It employs over a thousand attorneys who handle cases relating to the domains of technology, energy & infrastructure, and finance. The firm’s annual revenue surpasses the $1 billion figure, and it is consistently ranked among the top ten law firms in the U.S. and globally.
In March 2023, the firm detected unauthorized access to its network, including a system where sensitive client files were stored. As it was determined later by the ensuing investigation, the attackers had first gained access to Orrick’s systems in February. Hence, they had plenty of time to locate valuable data and exfiltrate it.
The data that was exposed as a result of this incident is extensive, and, according to the latest investigation findings, includes the following (depending on the individual):
- Physical address
- Email address
- Date of birth
- Social Security number
- Driver’s license
- Government ID number
- Passport number
- Financial account information
- Tax identification number
- Online account credentials
- Credit/debit card number
- Medical treatment/diagnosis information
- Claims information
- Health insurance ID number
- Healthcare provider
- Medical record number
- Prescriber name
- Healthcare provider license number
- Incidental health reference
The first notice to impacted individuals was circulated in early June 2023, with the number of affected clients set to 152,818. Later, in August, the number of impacted individuals was revised as the internal investigation progressed, bringing the total to 461,100. Eventually, on December 29, 2023, Orrick updated the figure once more, saying that the security incident had impacted 637,620 clients.
Regrettably, this resulted in a significant delay in notifying numerous affected individuals about their sensitive data being compromised and exposed to cybercriminals, with several months elapsing before they were informed. The worst case is a subset of 176,520 clients who weren’t informed about the security incident until after ten months had passed.
The notifications enclose instructions on how to enroll in a two-year threat monitoring and identity protection service via Kroll, the cost of which will be covered by Orrick. If you have used Orrick’s services in the past, you are recommended to take advantage of this offering, remain vigilant against unsolicited communications, and report suspicious activity to the authorities.
As online account passwords have been exposed, resetting your passwords on any other online platforms where you might be using the same credentials to mitigate the risk of credential-stuffing attacks is recommended.