Washington, DC-based law firm Wiley Rein LLP failed to detect a cyberattack for about eight months, giving hackers access to sensitive consumer data that was stolen and sold on the dark web, according to a proposed class action filed in federal court.
The data breach allegedly exposed thousands of current and former consumers’ names, addresses, dates of birth, financial account numbers, medical information, and Social Security numbers, according to a complaint filed in the US District Court for the District of Columbia. Hackers gained access to the firm’s systems for eight months as early as July 2024, but Wiley Rein didn’t discover the breach until June 2025 and waited until March 2026—nearly two years later—to notify victims, the lawsuit said.
“Cybercriminals had unfettered access to Defendant’s systems for a staggering eight months and was not discovered by Defendant until almost a year later,” the May 22 lawsuit said. “Defendant’s failure to timely detect and report the Data Breach made its consumers vulnerable to identity theft without any warnings to monitor their financial accounts or credit reports to prevent unauthorized use of their Sensitive Information.”
While Wiley Rein “plans to offer several months of complimentary credit monitoring services to victims,” this won’t adequately address “the lifelong harm victims will face” since the cyberattack leaked personal information that can’t be changed, the complaint said.
Derrick Burkett is a Florida resident who claims he’s disputing at least 19 fraudulent charges on his MetLife estate account as a result of the data breach. Burkett is suing Wiley Rein for negligence, breach of third-party contract, unjust enrichment, and invasion of privacy on behalf of himself and similarly-situated individuals whose information was compromised in the data breach.
The firm also allegedly violated its duties under the Federal Trade Commission Act through its “failure to employ reasonable and appropriate measures to protect against unauthorized access to consumers’ Sensitive Information,” Burkett said. Upon information and belief, the firm failed to implement “industry-standard cybersecurity practices” such as multi-factor authentication, malware detection software, and staff training, the filing said.
The complaint seeks restitution, pre-and-post judgment interest, various types of damages, declaratory relief, and an order enjoining Wiley Rein from further engaging in deceptive practices tied to the data breach.
A spokesperson for Wiley Rein didn’t immediately respond to a request for comment.
Farrell & Fuller and Motley Rice LLC represent Burkett and his proposed class.
The case is Burkett v. Wiley Rein LLP, D.D.C., No. 1:26-cv-01791, complaint filed 5/22/26.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.