Law firm Jones Day says hackers got their hands on confidential client data and firm communications when an outside vendor’s file transfer system was breached.
Jones Day is the second major law firm in two weeks to have private data exposed as a result of a breach at Accellion, which provides file transfer and other services for a number of firms. Goodwin Procter said Feb. 2 that certain client and employee data was also left unprotected.
“Jones Day has been informed that Accellion’s FTA file transfer platform, which is a platform that Jones Day—like many law firms, companies and organizations—used was recently compromised and information taken,” said spokesman David Petrou in a statement provided to Bloomberg Law. “Jones Day continues to investigate the breach and has been, and will continue to be, in discussion with affected clients and appropriate authorities.”
The firm is the tenth largest in the country, with more than $2 billion in gross revenue, according to AmLaw 2020 rankings. It was closely tied with the Trump administration, sending several attorneys to high-ranking government posts and representing the Trump campaign.
Jones Day’s clients also include
Accellion said in a statement posted to its website Feb. 1 that its File Transfer Appliance, a two-decades-old file transfer product, “was the target of a sophisticated cyberattack.”
“Accellion is conducting a full assessment of the FTA data security incident with an industry-leading cybersecurity forensics firm,” spokesman Robert Dougherty told Bloomberg Law. “We will share more information once this assessment is complete. For their protection, we do not comment on specific customers.”
State officials in Washington said in January that more than 1 million state residents seeking unemployment benefits in recent years had their data exposed as part of the Accellion breach. The California tech vendor is already facing a lawsuit on behalf of those residents.
The University of Colorado is among a wide range of other entities who have reported being impacted by the breach.
“Accellion has a track record of severe, readily-exploitable vulnerabilities in the FTA product,” said Bob Dooling a security risk manager for health IT company Redox. He noted that Facebook reportedly stopped using the product in 2016 after a single researcher hacked the system, exploiting at least one vulnerability “very similar” to the source of the latest breach.
Accellion has said it provides services for a number of large law firms, including Cozen O’Connor, Seyfarth Shaw, Arent Fox, and Barnes & Thornburg. No other firms reported breaches in response to Bloomberg Law inquiries following the Goodwin Procter announcement.