Dive Brief:

• A cyberattack against Orrick, Herrington & Sutcliffe, a law firm that helps companies manage cyber governance and response, allowed a threat actor to steal sensitive information on almost 638,000 people, the company said last week in an updated data breach disclosure filing in Maine.
• The San Francisco-based law firm previously determined the two-week long breach of a file-share service compromised records on almost 153,000 individuals. The number of individuals impacted more than quadrupled between the July and December disclosures.
• A threat actor accessed and stole data from Orrick’s system between Feb. 28 and March 13, and an analysis of personal information in certain unstructured data was completed in mid-October, the company said. Orrick did not respond to a request for comment.

Dive Insight:

The widened pool of individuals affected comes just weeks after Orrick said it reached an agreement to settle four class-action lawsuits filed by victims that accused the company of failing to timely inform them of the breach. 

Orrick did not say how the threat actor gained access to its system or if it was extorted for a ransom.

The stolen data is expansive, including personally identifiable information such as names, addresses, email addresses, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, financial account information, credit or debit card numbers and tax ID numbers. Health information was also stolen, including medical treatment or diagnosis information, claims information, health insurance ID numbers, healthcare providers, medical record numbers and account credentials.

“Orrick deployed additional security measures and tools with the guidance of third-party experts to strengthen the ongoing security of its network,” the company said in the disclosure. “Orrick is not aware of any misuse of the affected personal information.”