Bryan Cave Leighton Paisner is the latest Big Law firm to be struck by a cyber breach involving sensitive client data.
The breach exposed the personal data of more than 50,000 current and former employees of Mondelēz International, the snack food company that makes Oreo cookies and Ritz crackers.
BCLP in late February discovered it had been hacked, including in areas involving certain client files, according to a sample notice Mondelēz sent to affected employees June 15. The information stolen included employee dates of birth, Social Security numbers, and home addresses.
The firm initiated a “robust” investigation with the assistance of an outside cybersecurity forensics firm and also notified law enforcement, according to the notice obtained by the British tech website The Register. The firm informed Mondelēz of the breach March 24, the notice said.
“On May 22, 2023, based upon additional information received from Bryan Cave, Mondelēz determined that it finally had enough information to determine who was impacted and that affected individuals should be notified,” the company notice says.
The Mondelēz notice said the incident did not occur on or affect company systems “in any way.”
According to the Maine attorney general’s office, 51,110 people were affected by the breach.
According to a BCLP statement issued by a firm spokeswoman, “we immediately took measures to contain the incident” after learning of the issue. The firm was assisted by a leading forensics firm, coordinated with law enforcement, and is communicating with affected stakeholders.
“We remain able and focused on continuing to serve our clients as we resolve this matter,” the statement said.
“We take the security of our employee data very seriously,” said a Mondelēz statement provided by a company spokeswoman. “We took immediate steps once we were notified about this situation, and we are continuing to work with our partners to provide impacted employees with appropriate assistance.”
BCLP is the latest in a long list of Big Law firms struck by cyberattacks and data breaches in recent years that have involved both law firm and client data.
In April, Proskauer Rose confirmed that its clients’ data, including sensitive financial information, had been exposed to hackers.
Goodwin Procter and Jones Day data was exposed through a breach at tech provider Accellion, now known as Kiteworks, in 2021. The firms acknowledged that the breach had left confidential client data exposed.
Covington & Burling faced an attack in 2020 that may have exposed nonpublic information involving about 300 corporate clients.
The U.S. Securities and Exchange Commission has asked the firm to turn over its clients’ names. The request prompted more than 80 competing firms to back Covington, claiming attorney-client privilege should block the SEC’s request.
