Select Page

One might say that Blank Rome got hacked. But “hacked” would be doing a lot of heavy lifting in that case. It’s not like anybody cracked the firewall, deployed a zero-day, or spent a month tunneling through the firm’s defenses while taunting the IT team. Someone picked up a phone on May 21, called a Blank Rome attorney, said some version of “hi, this is IT,” and asked them to upload the client files to an external Google Drive.

And then they just… did that.

According to two proposed class actions filed Monday in the Eastern District of Pennsylvania, this oopsie exposed the personal information of 57,554 current and former clients and assorted other people whose data happened to be sitting in those files. The breach included names and Social Security numbers, and possibly more. Blank Rome is offering either 12 or 24 months of credit monitoring per a notice of data breach filed with the California Attorney General’s Office. The folks behind these lawsuits seem to find this offer underwhelming.

Kopelowitz Ostrow, Milberg PLLC, and the Srourian Law Firm filed one suit, and Strauss Borrelli filed the other, but they are substantially identical suits, alleging negligence, breach of fiduciary duty, breach of implied contract, and violations of a stack of California privacy statutes. That two plaintiffs’ firms had substantially matching complaints ready to drop on the same afternoon tells you how routine this particular genre of harm has become.

Blank Rome’s response is a tell. The firm says there was “no access to the firm’s network or disruption of operations.” Which is true, though also something of an “other than that, how was the play Mrs. Lincoln?” response. The victims of a data breach don’t really care how it happened. “We are committed to protecting our clients’ information and maintaining the trust they place in us,” the firm continued. “We believe the lawsuit has no merit and will aggressively defend against it.”

Not quite sure how “no merit” comports with the statement where the firm’s own account of events admits it gave away private information, but you miss 100 percent of the shots you don’t take.

“Blank Rome experienced a limited incident in which a group that targets law firms called one of our attorneys, posed as our IT department, and misled the attorney into uploading files to an external file hosting website. We acted quickly to mitigate and contain the incident, notified law enforcement, began an investigation with the support of external cybersecurity professionals, and communicated with affected clients,” said a Blank Rome spokesperson in response to a request for comment.

In between flying Kash Patel to exotic drinking locations around the world, the FBI actually put out an alert about this particular scam. The Silent Ransom Group — also traveling under Luna Moth and a rotating cast of names that would also make excellent garage bands — has been running fake-IT-support scams against law firms since 2023. We covered it when Jones Day got hit. We covered it three weeks ago, when the same scheme — cybercriminals impersonating internal IT and calling employees — pushed Lewis Brisbois to yank remote access and haul everyone back to the office. The point is, this isn’t a novel threat.

Blank Rome’s own Privacy, Security & Data Protection practice touts its experience preparing “security incident response coaching,” assembling internal response teams, and guiding organizations through breach notification. In this case, the call was coming from inside the house. Metaphorically, of course. Obviously the actual call came from outside the house. But was pretending to be inside the house. You know what, let’s forget that whole colloquialism and start over. In this case, physician heal thyself:

The other half of the lawsuit is the timing. The firm says it caught the incident within two hours, took the attorney’s device offline, deleted the uploaded files, and called law enforcement — a genuinely fast detection to the firm’s credit. But the suits complain that the victims weren’t told until June 26.

Law firms remain one of the softest targets around. They sit on a lot of valuable secrets, but often lack the hardened security corporations build around themselves. Not that hardened security does much to avoid a fake IT call. Still, it underscores the fact that law firms need to put a priority on shielding its secrets. Even from itself… or anyone pretending to be itself.

Blank Rome Sued Twice Over May Cyber Breach [Legal Intelligencer]

Earlier: Jones Day Gets Hacked While FBI Busy Planning Kash Patel’s Next Vacation
Cyberattack Gives Biglaw Firm A New Return-To-Office Excuse

The post Blank Rome Hit With Two Class Actions After Data Breach Exposes 57,000 Clients appeared first on Above the Law.

GettyImages 2182049562

One might say that Blank Rome got hacked. But “hacked” would be doing a lot of heavy lifting in that case. It’s not like anybody cracked the firewall, deployed a zero-day, or spent a month tunneling through the firm’s defenses while taunting the IT team. Someone picked up a phone on May 21, called a Blank Rome attorney, said some version of “hi, this is IT,” and asked them to upload the client files to an external Google Drive.

And then they just… did that.

According to two proposed class actions filed Monday in the Eastern District of Pennsylvania, this oopsie exposed the personal information of 57,554 current and former clients and assorted other people whose data happened to be sitting in those files. The breach included names and Social Security numbers, and possibly more. Blank Rome is offering either 12 or 24 months of credit monitoring per a notice of data breach filed with the California Attorney General’s Office. The folks behind these lawsuits seem to find this offer underwhelming.

Kopelowitz Ostrow, Milberg PLLC, and the Srourian Law Firm filed one suit, and Strauss Borrelli filed the other, but they are substantially identical suits, alleging negligence, breach of fiduciary duty, breach of implied contract, and violations of a stack of California privacy statutes. That two plaintiffs’ firms had substantially matching complaints ready to drop on the same afternoon tells you how routine this particular genre of harm has become.

Blank Rome’s response is a tell. The firm says there was “no access to the firm’s network or disruption of operations.” Which is true, though also something of an “other than that, how was the play Mrs. Lincoln?” response. The victims of a data breach don’t really care how it happened. “We are committed to protecting our clients’ information and maintaining the trust they place in us,” the firm continued. “We believe the lawsuit has no merit and will aggressively defend against it.”

Not quite sure how “no merit” comports with the statement where the firm’s own account of events admits it gave away private information, but you miss 100 percent of the shots you don’t take.

“Blank Rome experienced a limited incident in which a group that targets law firms called one of our attorneys, posed as our IT department, and misled the attorney into uploading files to an external file hosting website. We acted quickly to mitigate and contain the incident, notified law enforcement, began an investigation with the support of external cybersecurity professionals, and communicated with affected clients,” said a Blank Rome spokesperson in response to a request for comment.

In between flying Kash Patel to exotic drinking locations around the world, the FBI actually put out an alert about this particular scam. The Silent Ransom Group — also traveling under Luna Moth and a rotating cast of names that would also make excellent garage bands — has been running fake-IT-support scams against law firms since 2023. We covered it when Jones Day got hit. We covered it three weeks ago, when the same scheme — cybercriminals impersonating internal IT and calling employees — pushed Lewis Brisbois to yank remote access and haul everyone back to the office. The point is, this isn’t a novel threat.

Blank Rome’s own Privacy, Security & Data Protection practice touts its experience preparing “security incident response coaching,” assembling internal response teams, and guiding organizations through breach notification. In this case, the call was coming from inside the house. Metaphorically, of course. Obviously the actual call came from outside the house. But was pretending to be inside the house. You know what, let’s forget that whole colloquialism and start over. In this case, physician heal thyself:

The other half of the lawsuit is the timing. The firm says it caught the incident within two hours, took the attorney’s device offline, deleted the uploaded files, and called law enforcement — a genuinely fast detection to the firm’s credit. But the suits complain that the victims weren’t told until June 26.

Law firms remain one of the softest targets around. They sit on a lot of valuable secrets, but often lack the hardened security corporations build around themselves. Not that hardened security does much to avoid a fake IT call. Still, it underscores the fact that law firms need to put a priority on shielding its secrets. Even from itself… or anyone pretending to be itself.

Blank Rome Sued Twice Over May Cyber Breach [Legal Intelligencer]

Earlier: Jones Day Gets Hacked While FBI Busy Planning Kash Patel’s Next Vacation
Cyberattack Gives Biglaw Firm A New Return-To-Office Excuse