Updated: May 6
Publicly available information about the data breach suggests that on March 6, 2023 an unauthorized 3rd party gained access to a legacy system operated by the American Bar Association (ABA).
Attackers had access to member data for at least 11 days before they were detected.
The official ABA notices states "...the investigation identified that an unauthorized third party acquired usernames and hashed and salted passwords that you may have used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018.”
Publicly available information about the data breach suggests that the attackers had access for at least eleven days before the unauthorized activity was detected. It took another six days before an investigation pin-pointed the likely initial access to be March 6, 2023.
After the ABA notified its members on April 20, a class-action lawsuit was promptly filed on April 21, 2023 in the U.S. District Court for the Eastern District of New York.
The lawsuit alleges that the ABA “grossly failed in its obligations to abide by best practices and industry standards in protecting customers’ personal information" and "failed to uncover and disclose the extent of the Breach and notify its affected customers of the Breach in a timely manner."
One of the biggest setbacks this cyber incident has for the ABA is the fact that the ABA is an advocate for raising awareness of cyber security within the legal community. It has published updated Model Rules (1.1, 1.15, 1.4, 1.6, 5.1, 5.3) and Opinions (447R and 483) that specifically call out the importance of having efficient and actively managed cyber risk mitigation efforts.
Unfortunately, it appears that the ABA itself was not aligned with such best practices or suggestions. Without knowing the specifics of the vulnerability used to gain access and what cyber security protocols were active at the time of the incident, it is difficult to attribute any specific breakdown in the ABA's efforts to safeguard its member’s data.
A cyber incident in general may expose highly sensitive client or internal documents such as intellectual property, patents, case strategies for mergers and acquisition negotiations, financial documents, medical records, and more to unauthorized 3rd parties.
This incident still carries a certain level of reputational harm for the ABA and will require efforts to regain the trust of its members.
From a threat intelligence perspective, it will be interesting to see if the stolen ABA member information will make its way to the dark web for sale or remain "at large". If the information is put up for sale, it follows the hallmarks of a financial cyber crime threat actor. However, if the data is not put up for sale, it could suggest that the information may be used by a threat actor that specializes in intelligence gathering for future threat campaigns.
Unfortunately law firms are increasingly targets of cyber attacks, and a cyber incident can quickly expose highly sensitive client or internal documents such as intellectual property, patents, case strategies for mergers and acquisition negotiations, financial documents, medical records, and more. This type of loss, as in the case of the ABA, most often leads to a costly investigation and/or litigation.
Historically, only large corporations and enterprises could afford sophisticated cyber incident detection and prevention solutions. As of today, however, there is a highly sophisticated, affordable cyber detection and prevention solution for smaller organizations and law firms.
If your wondering how boutique firms and smaller organization can afford to have the same next generation security protections that large corporations have, give us a call today.
By utilizing proactive measures and deliberately taking care of implementing reasonable cyber risk mitigation efforts, you contribute significantly to protecting sensitive information.
Proactive Discovery has made it its mission to put a cyber security resource in your corner so you can focus on your business. Proactive Discovery provides a fully managed cyber risk mitigation service that operates on a 24x7x365 monitor and response model. Our team of cyber security professionals is focused on preventing, detecting, and removing cyber threats. Before now, this level of cyber risk mitigation was only available to large corporations with big security budgets and departments. We are now making the same enterprise-level cyber risk mitigation capabilities a reality for boutique firms and small businesses.
We're all vulnerable to cyber-attacks.
Start your cyber risk mitigation journey by scheduling a free consultation at https://tiny.proactivediscovery.com/book-cyber-call or visit our fully-managed RESOLUTE cyber risk mitigation service page for more details.
Stay safe and secure out there!
March 6, 2023 – unauthorized 3rd party gains access to data.
March 17, 2023 – ABA detects unusual activity on its network and begins investigation.
March 23, 2023 – investigation identifies March 6 as the initial date of access of 1.4 million member accounts by an unauthorized 3rd party. This access exposed to usernames and hashed and salted passwords.
April 20, 2023 – ABA notifies its members of cyber incident.
April 21, 2023 – Class action lawsuit is filed in U.S. District Court for the Eastern District of New York.