Cadwalader, Wickersham & Taft office sign
(image source: Diego M. Radzinschi/ALM, 2020)
One-sentence summary:
The oldest NYC law firm, Cadwalader, Wickersham & Taft, was breached in November, resulting in notable operational disruption, a class-action lawsuit, and adverse effects, potentially, for over 93,000+ individuals, including clients.
Who was involved?
Cadwalader, Wickersham & Taft LLP, 93,211 victims, and a threat actor.
What was the timeline?
November 15, 2022: Breach occurred
November 16, 2022: Cadwalader discovers the breach
November 19, 2022: Cadwalader firm email system returns online (Roe, 2023)
March 30, 2023: Cadwalader begins consumer notification (per Maine OAG report)
April 12, 2023: Class-action lawsuit is filed in NY federal district court against the firm
What occurred?
In November 2022, an unknown actor breached the information systems of the famous NYC-based law firm Cadwalader, Wickersham & Taft and was quickly discovered by Cadwalader management (Brehmer, 2023). Operational disruption was apparent for the weeks following the breach (Roe, 2023). The breached information has only been specified as names and social security numbers (Brehmer, 2023). As a temporary recovery measure, employees and attorneys were requested to use their personal devices in lieu of their work devices to access potentially privileged and work-related documents (Roe, 2023). The incident has resulted in a class action lawsuit against the firm (Perotti v. Cadwalader, Wickersham & Taft, 2023).
Estimated costs:
Associated incident response costs, breach notification costs, hired “renowned external cybersecurity experts and legal counsel,” 2 years of Kroll identity monitoring, litigation defense costs, operational issues/costs (e.g., due to offline document system) (Roe, 2023)
Involved laws:
Federal: Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45 (Perotti v. Cadwalader, Wickersham & Taft, LLP, Docket No. 1:23-cv-03063 (S.D.N.Y. Apr 12, 2023), Court Docket)
State: Maine: 10 M.R.S.A. § 1346
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Sources:
Brehmer, H. (2023). Data Breach Notifications. In Privacy, Identity Theft and Data Security Breaches. Office of the Maine Attorney General. Retrieved April 13, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/30f7a1de-50d4-4484-8eaa-1b01e624f123.shtml
Diego M. Radzinschi/ALM. (2020, February). Cadwalader-Office-Sign-Article-202002111512.jpg. law.com. https://images.law.com/contrib/content/uploads/sites/389/2020/02/Cadwalader-Office-Sign-Article-202002111512.jpg
Perotti v. Cadwalader, Wickersham & Taft, LLP, Docket No. 1:23-cv-03063 (S.D.N.Y. Apr 12, 2023). https://www.bloomberglaw.com/ms/public/desktop/document/PerottivCadwaladerWickershamTaftLLPDocketNo123cv03063SDNYApr12202
Roe, D. (2023, January 9). November Cyberattack Hobbled Cadwalader for Weeks, Internal Emails Show | The American Lawyer. The American Lawyer. Retrieved April 13, 2023, from https://www.law.com/americanlawyer/2023/01/05/november-cyberattack-hobbled-cadwalader-for-weeks-internal-emails-show/
