Pierluigi Paganini January 06, 2024

Law firm Orrick, Herrington & Sutcliffe disclosed a data breach that took place in early 2023, which impacted roughly 600,000 individuals.

The law firm Orrick, Herrington & Sutcliffe, disclosed a data breach that impacted 638,000 individuals.

An authorized actor gained access to the company network between February 28 and March 13. The intruders gained access to a storage containing files related to the clients of the law firm.

Orrick, Herrington & Sutcliffe LLP is a global law firm with a focus on serving clients in the technology, energy, and financial sectors. It provides legal services in various practice areas, including corporate, finance, litigation, intellectual property, and cybersecurity. The firm has offices in multiple countries and is known for its representation of technology and innovation-driven companies.

Some of these people were customers of Orrick’s clients who suffered data breaches.

Orrick explained that it immediately took steps to block the unauthorized access and launched an investigation into the security incident.

“On March 13, 2023, Orrick detected that an unauthorized third party gained remote access to a portion of its network, including a file share that Orrick used to store certain client files.” reads the data breach notification.

“Orrick also notified law enforcement. Orrick has identified no evidence of further unauthorized activity since detecting the security incident on March 13.”

The law firm notified the impacted clients’ customers, and the exposed info varies for each individual. The information affected may have included: name, address, email address, date of birth, Social Security number, driver’s license or other government-issued identification number, passport number, financial account information, tax identification number, medical treatment and/or diagnosis information, claims information (date, cost of services, and claims identifiers), health insurance.

In December 2023, the law firm announced that it was working out a settlement with class action plaintiffs who said their personal information was compromised in a March 2023 data breach.

Reuters reported that Orrick, in a court filing in San Francisco federal court, said it reached an agreement in principle to settle four consolidated lawsuits brought on behalf of hundreds of thousands of alleged victims of the breach.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)