{"id":155932,"date":"2026-07-07T15:06:42","date_gmt":"2026-07-07T23:06:42","guid":{"rendered":"https:\/\/xira.com\/p\/2026\/07\/07\/blank-rome-hit-with-two-class-actions-after-data-breach-exposes-57000-clients\/"},"modified":"2026-07-07T15:06:42","modified_gmt":"2026-07-07T23:06:42","slug":"blank-rome-hit-with-two-class-actions-after-data-breach-exposes-57000-clients","status":"publish","type":"post","link":"https:\/\/xira.com\/p\/2026\/07\/07\/blank-rome-hit-with-two-class-actions-after-data-breach-exposes-57000-clients\/","title":{"rendered":"Blank Rome Hit With Two Class Actions After Data Breach Exposes 57,000 Clients"},"content":{"rendered":"<p>One might say that Blank Rome got hacked. But \u201chacked\u201d would be doing a lot of heavy lifting in that case. It\u2019s not like anybody cracked the firewall, deployed a zero-day, or spent a month tunneling through the firm\u2019s defenses while taunting the IT team. Someone picked up a phone on May 21, called a Blank Rome attorney, said some version of \u201chi, this is IT,\u201d and asked them to upload the client files to an external Google Drive. <\/p>\n<p>And then they just\u2026 did that.<\/p>\n<p>According to two proposed class actions <a href=\"https:\/\/www.law.com\/thelegalintelligencer\/2026\/07\/06\/blank-rome-sued-twice-over-may-cyber-breach\/\" rel=\"nofollow noopener\" target=\"_blank\">filed Monday<\/a> in the Eastern District of Pennsylvania, this oopsie exposed the personal information of 57,554 current and former clients and assorted other people whose data happened to be sitting in those files. The breach included names and Social Security numbers, and possibly more. Blank Rome is offering either 12 or 24 months of credit monitoring per a notice of data breach filed with the California Attorney General\u2019s Office. The folks behind these lawsuits seem to find this offer underwhelming.<\/p>\n<p>Kopelowitz Ostrow, Milberg PLLC, and the Srourian Law Firm filed one suit, and Strauss Borrelli filed the other, but they are substantially identical suits, alleging negligence, breach of fiduciary duty, breach of implied contract, and violations of a stack of California privacy statutes. That two plaintiffs\u2019 firms had substantially matching complaints ready to drop on the same afternoon tells you how routine this particular genre of harm has become. <\/p>\n<p>Blank Rome\u2019s response is a tell. The firm says there was \u201cno access to the firm\u2019s network or disruption of operations.\u201d Which is <em>true<\/em>, though also something of an \u201cother than that, how was the play Mrs. Lincoln?\u201d response. The victims of a data breach don\u2019t really care how it happened. \u201cWe are committed to protecting our clients\u2019 information and maintaining the trust they place in us,\u201d the firm continued. \u201cWe believe the lawsuit has no merit and will aggressively defend against it.\u201d<\/p>\n<p>Not quite sure how \u201cno merit\u201d comports with the statement where the firm\u2019s <em>own account of events<\/em> admits it gave away private information, but you miss 100 percent of the shots you don\u2019t take.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cBlank Rome experienced a limited incident in which a group that targets law firms called one of our attorneys, posed as our IT department, and misled the attorney into uploading files to an external file hosting website. We acted quickly to mitigate and contain the incident, notified law enforcement, began an investigation with the support of external cybersecurity professionals, and communicated with affected clients,\u201d said a Blank Rome spokesperson in response to a request for comment.<\/p>\n<\/blockquote>\n<p>In between flying Kash Patel to exotic drinking locations around the world, the FBI actually put out an alert about this particular scam. The Silent Ransom Group \u2014 also traveling under Luna Moth and a rotating cast of names that would also make excellent garage bands \u2014 has been running fake-IT-support scams against law firms since 2023. We covered it when <a href=\"https:\/\/abovethelaw.com\/2026\/04\/jones-day-gets-hacked-while-fbi-busy-planning-kash-patels-next-vacation\/\" rel=\"nofollow noopener\" target=\"_blank\">Jones Day got hit<\/a>. We covered it <a href=\"https:\/\/abovethelaw.com\/2026\/06\/cyberattack-gives-biglaw-firm-a-new-return-to-office-excuse\/\" rel=\"nofollow noopener\" target=\"_blank\">three weeks ago<\/a>, when the same scheme \u2014 cybercriminals impersonating internal IT and calling employees \u2014 pushed Lewis Brisbois to yank remote access and haul everyone back to the office. The point is, this isn\u2019t a novel threat.<\/p>\n<p>Blank Rome\u2019s own Privacy, Security &amp; Data Protection practice touts its experience preparing \u201csecurity incident response coaching,\u201d assembling internal response teams, and guiding organizations through breach notification. In this case, the call was coming from inside the house. Metaphorically, of course. Obviously the <em>actual<\/em> call came from outside the house. But was pretending to be inside the house. You know what, let\u2019s forget that whole colloquialism and start over. <em>In this case, physician heal thyself<\/em>:<\/p>\n<p>The other half of the lawsuit is the timing. The firm says it caught the incident within two hours, took the attorney\u2019s device offline, deleted the uploaded files, and called law enforcement \u2014 a genuinely fast detection to the firm\u2019s credit. But the suits complain that the victims weren\u2019t told until June 26.<\/p>\n<p>Law firms remain one of the softest targets around. They sit on a lot of valuable secrets, but often lack the hardened security corporations build around themselves. Not that hardened security does much to avoid a fake IT call. Still, it underscores the fact that law firms need to put a priority on shielding its secrets. Even from itself\u2026 or anyone pretending to be itself.<\/p>\n<p><a href=\"https:\/\/www.law.com\/thelegalintelligencer\/2026\/07\/06\/blank-rome-sued-twice-over-may-cyber-breach\/\" rel=\"nofollow noopener\" target=\"_blank\">Blank Rome Sued Twice Over May Cyber Breach<\/a> [Legal Intelligencer]<\/p>\n<p><strong>Earlier<\/strong>: <a href=\"https:\/\/abovethelaw.com\/2026\/04\/jones-day-gets-hacked-while-fbi-busy-planning-kash-patels-next-vacation\/\" rel=\"nofollow noopener\" target=\"_blank\">Jones Day Gets Hacked While FBI Busy Planning Kash Patel\u2019s Next Vacation<\/a><br \/><a href=\"https:\/\/abovethelaw.com\/2026\/06\/cyberattack-gives-biglaw-firm-a-new-return-to-office-excuse\/\" rel=\"nofollow noopener\" target=\"_blank\">Cyberattack Gives Biglaw Firm A New Return-To-Office Excuse<\/a><\/p>\n<p>The post <a href=\"https:\/\/abovethelaw.com\/2026\/07\/blank-rome-hit-with-two-class-actions-after-data-breach-exposes-57000-clients\/\" rel=\"nofollow noopener\" target=\"_blank\">Blank Rome Hit With Two Class Actions After Data Breach Exposes 57,000 Clients<\/a> appeared first on <a href=\"https:\/\/abovethelaw.com\/\" rel=\"nofollow noopener\" target=\"_blank\">Above the Law<\/a>.<\/p>\n<figure class=\"post-single__featured-image post-single__featured-image--medium alignright\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/i0.wp.com\/abovethelaw.com\/wp-content\/uploads\/sites\/4\/2025\/11\/GettyImages-2182049562-300x300.jpg?resize=300%2C300&#038;ssl=1\" class=\"attachment-medium size-medium wp-post-image\" alt=\"\" title=\"\"><\/figure>\n<p>One might say that Blank Rome got hacked. But \u201chacked\u201d would be doing a lot of heavy lifting in that case. It\u2019s not like anybody cracked the firewall, deployed a zero-day, or spent a month tunneling through the firm\u2019s defenses while taunting the IT team. Someone picked up a phone on May 21, called a Blank Rome attorney, said some version of \u201chi, this is IT,\u201d and asked them to upload the client files to an external Google Drive. <\/p>\n<p>And then they just\u2026 did that.<\/p>\n<p>According to two proposed class actions <a href=\"https:\/\/www.law.com\/thelegalintelligencer\/2026\/07\/06\/blank-rome-sued-twice-over-may-cyber-breach\/\" rel=\"nofollow noopener\" target=\"_blank\">filed Monday<\/a> in the Eastern District of Pennsylvania, this oopsie exposed the personal information of 57,554 current and former clients and assorted other people whose data happened to be sitting in those files. The breach included names and Social Security numbers, and possibly more. Blank Rome is offering either 12 or 24 months of credit monitoring per a notice of data breach filed with the California Attorney General\u2019s Office. The folks behind these lawsuits seem to find this offer underwhelming.<\/p>\n<p>Kopelowitz Ostrow, Milberg PLLC, and the Srourian Law Firm filed one suit, and Strauss Borrelli filed the other, but they are substantially identical suits, alleging negligence, breach of fiduciary duty, breach of implied contract, and violations of a stack of California privacy statutes. That two plaintiffs\u2019 firms had substantially matching complaints ready to drop on the same afternoon tells you how routine this particular genre of harm has become. <\/p>\n<p>Blank Rome\u2019s response is a tell. The firm says there was \u201cno access to the firm\u2019s network or disruption of operations.\u201d Which is <em>true<\/em>, though also something of an \u201cother than that, how was the play Mrs. Lincoln?\u201d response. The victims of a data breach don\u2019t really care how it happened. \u201cWe are committed to protecting our clients\u2019 information and maintaining the trust they place in us,\u201d the firm continued. \u201cWe believe the lawsuit has no merit and will aggressively defend against it.\u201d<\/p>\n<p>Not quite sure how \u201cno merit\u201d comports with the statement where the firm\u2019s <em>own account of events<\/em> admits it gave away private information, but you miss 100 percent of the shots you don\u2019t take.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cBlank Rome experienced a limited incident in which a group that targets law firms called one of our attorneys, posed as our IT department, and misled the attorney into uploading files to an external file hosting website. We acted quickly to mitigate and contain the incident, notified law enforcement, began an investigation with the support of external cybersecurity professionals, and communicated with affected clients,\u201d said a Blank Rome spokesperson in response to a request for comment.<\/p>\n<\/blockquote>\n<p>In between flying Kash Patel to exotic drinking locations around the world, the FBI actually put out an alert about this particular scam. The Silent Ransom Group \u2014 also traveling under Luna Moth and a rotating cast of names that would also make excellent garage bands \u2014 has been running fake-IT-support scams against law firms since 2023. We covered it when <a href=\"https:\/\/abovethelaw.com\/2026\/04\/jones-day-gets-hacked-while-fbi-busy-planning-kash-patels-next-vacation\/\" rel=\"nofollow noopener\" target=\"_blank\">Jones Day got hit<\/a>. We covered it <a href=\"https:\/\/abovethelaw.com\/2026\/06\/cyberattack-gives-biglaw-firm-a-new-return-to-office-excuse\/\" rel=\"nofollow noopener\" target=\"_blank\">three weeks ago<\/a>, when the same scheme \u2014 cybercriminals impersonating internal IT and calling employees \u2014 pushed Lewis Brisbois to yank remote access and haul everyone back to the office. The point is, this isn\u2019t a novel threat.<\/p>\n<p>Blank Rome\u2019s own Privacy, Security &amp; Data Protection practice touts its experience preparing \u201csecurity incident response coaching,\u201d assembling internal response teams, and guiding organizations through breach notification. In this case, the call was coming from inside the house. Metaphorically, of course. Obviously the <em>actual<\/em> call came from outside the house. But was pretending to be inside the house. You know what, let\u2019s forget that whole colloquialism and start over. <em>In this case, physician heal thyself<\/em>:<\/p>\n<p>The other half of the lawsuit is the timing. The firm says it caught the incident within two hours, took the attorney\u2019s device offline, deleted the uploaded files, and called law enforcement \u2014 a genuinely fast detection to the firm\u2019s credit. But the suits complain that the victims weren\u2019t told until June 26.<\/p>\n<p>Law firms remain one of the softest targets around. They sit on a lot of valuable secrets, but often lack the hardened security corporations build around themselves. Not that hardened security does much to avoid a fake IT call. Still, it underscores the fact that law firms need to put a priority on shielding its secrets. Even from itself\u2026 or anyone pretending to be itself.<\/p>\n<p><a href=\"https:\/\/www.law.com\/thelegalintelligencer\/2026\/07\/06\/blank-rome-sued-twice-over-may-cyber-breach\/\" rel=\"nofollow noopener\" target=\"_blank\">Blank Rome Sued Twice Over May Cyber Breach<\/a> [Legal Intelligencer]<\/p>\n<p><strong>Earlier<\/strong>: <a href=\"https:\/\/abovethelaw.com\/2026\/04\/jones-day-gets-hacked-while-fbi-busy-planning-kash-patels-next-vacation\/\" rel=\"nofollow noopener\" target=\"_blank\">Jones Day Gets Hacked While FBI Busy Planning Kash Patel\u2019s Next Vacation<\/a><br \/><a href=\"https:\/\/abovethelaw.com\/2026\/06\/cyberattack-gives-biglaw-firm-a-new-return-to-office-excuse\/\" rel=\"nofollow noopener\" target=\"_blank\">Cyberattack Gives Biglaw Firm A New Return-To-Office Excuse<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>One might say that Blank Rome got hacked. But \u201chacked\u201d would be doing a lot of heavy lifting in that case. It\u2019s not like anybody cracked the firewall, deployed a zero-day, or spent a month tunneling through the firm\u2019s defenses while taunting the IT team. Someone picked up a phone on May 21, called a [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":155933,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16],"tags":[],"class_list":["post-155932","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-above_the_law"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/xira.com\/p\/wp-content\/uploads\/2026\/07\/GettyImages-2182049562-dgYHMb.webp?fit=591%2C591&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/155932","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/comments?post=155932"}],"version-history":[{"count":0,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/155932\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media\/155933"}],"wp:attachment":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media?parent=155932"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/categories?post=155932"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/tags?post=155932"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}