A Law Firm Was Hacked. Now It Faces a Class Action Lawsuit

The Wacks Law Group of Whippany discovered suspicious activity on its network on March 9. A short time later, a ransomware group called Qilin claimed responsibility for the breach, according to the suit.

A New Jersey law firm that was the target of a data breach now faces a suit on behalf of individuals whose personal information was targeted.

The Wacks Law Group of Whippany discovered suspicious activity on its network on March 9. A short time later, a ransomware group called Qilin claimed responsibility for the breach, according to the suit.

The breach yielded personal information such as names, Social Security numbers and driver’s license numbers that the law firm collected in connection with the legal service it provides, the suit claims.

The Wacks Law Group focuses on trusts and estates and has six lawyers, according to its website. The firm’s Edward Wacks did not respond to a phone message or text message.

The suit was brought by Milberg Coleman Bryson Phillips Grossman, a leading class action firm, along with Federman & Sherwood of Oklahoma City, Oklahoma.

Qilin, also known as Agenda, likely originates from Russia, and was recently observed recruiting affiliates in late 2023, the suit states. It is an ransomware-as-a-service company, in which one party pays another to launch a ransomware attack, the suit says. It surfaced in 2022 and targets critical infrastructure entities, the suit claims.

Once Qilin gains access to the target system, it proceeds to encript valuable information, such as personal details, credit card information or account credentials, which can fetch monetary awards, the suit claims. After encrypting the data, the actors demand a ransom to release a private key required to -decrypt the data, with ransoms typically demanded in cryptocurrencies such as bitcoin or ethereum, to allow the attackers to remain anonymous, the suit claims.

“It is important to note that paying the ransom does not guarantee the release of the private key, and there is no guarantee that the cycle of attacks and ransom demands will cease,” the suit claims.

Lead plaintiff Theresa Beller is a Jacksonville, Florida, resident who received a notice from Wacks Law Group on Aug. 6, notifying her that her name, Social Security number and driver’s license number were compromised in the data breach. The class has more than 100 members and the amount in controversy exceeds $5 million, the suit states.

The law firm offered the plaintiff and class members a “token gesture of a mere 12 months of credit monitoring services,” but that offer is “woefully inadequate considering plaintiff and class members will be at a continued risk of fraud and identity theft for the rest of their lives. This gesture does not and will not fully protect plaintiff and the class from cybercriminals and is largely ineffective against protecting data after it has been stolen,” the suit claims.

Cybercriminals are aware of the preventative measures taken by entities after data breaches and will often hold onto the stolen data and not use it until after the free service runs out, and long after preventative steps have diminished, the suit claims.

The Wacks Law Group failed to take proper precautions against a cyberattack, despite notice that law firms are prime targets for such crimes, the suit claims. Some notable law firm cyberattacks were at Orrick, Herrington & Sutcliffe; Grubman Shire Meiselas & Sacks; Proskauer Rose; Bermuda-based Appleby; and Mossack Fonseca of Panama, the suit says.

The suit cites the American Bar Association’s 2023 Legal Technology Survey, which says approximately 29% of law firms reported experiencing a data breach, up from 26% in 2022. Smaller firms are particularly at risk, with 35% of firms with 10- 49 attorneys reporting breaches compared with 22% of firms with more than 500 attorneys.”

The suit also cites an article in The American Lawyer, a Law.com affiliate of the New Jersey Law Journal, which said that “[f]ive months into the year, 2024 is on pace to be the biggest year in the history of law firm data breach reports. At least 21 law firms filed data breach reports to state attorneys general offices this year. By comparison, 2023 saw 28 law firm breach reports, while 2022 had 33 breach reports and 2021 had 38.”