Goodwin Procter fell victim to a data breach after a vendor it uses for large file transfers recently reported it was hacked, according to an internal memo obtained by Bloomberg Law.
The memorandum circulated by Goodwin managing partner Mark Bettencourt on Tuesday said Goodwin was informed of the security issue on Jan.22, and immediately stopped using the service.
The firm also retained a third-party forensic expert and launched an investigation.
Goodwin confirmed the veracity of Bettencourt’s memo, but declined to comment further.
Cyber breaches have become a growing issue for Big Law firms, which possess an abundance of valuable data and privileged information belonging to attorneys and clients on their networks.
Goodwin’s breach investigation revealed that a “small percentage” of the firm’s clients “may have experienced unauthorized access to or acquisition of confidential material” on Jan. 20, Bettencourt said. He said that potentially impacted clients were notified, and all of the firm’s clients were told about the breach.
Internally, “only a few Goodwin employees were affected,” and have been notified as well, according to the memo.
“At this time, we have found no evidence that any Goodwin resources were affected other than the file transfer service, and our business operations have not been affected,” said Bettencourt, whose memo said Goodwin had been running the most current version of the vendor’s service, conducting maintenance, and using security patches.
The email said it was likely “multiple customers” of the file transfer service had been impacted by the breach.
Goodwin came in at No. 22 in the American Lawyer’s most recent rankings of the largest U.S. law firms by gross revenue. The Boston-founded firm, which has offices around the globe, pulled in around $1.3 billion in 2019 and has done major deals of late for technology and life sciences companies.
Aside from Goodwin, a handful of Big Law firms have experienced data breaches in the last few months alone.
Seyfarth Shaw was the victim of a malware attack in October. Fragomen and Cadwalader, Wickersham & Taft also reported breaches late last year.
In 2017 DLA Piper
Plenty of security breaches happen at law firms, but they often don’t get reported, especially if there’s no unauthorized acquisition of or access to data, said Christopher Ballod, associate managing director of cyber risk of Kroll and former vice chair of the data privacy and cybersecurity practice at Lewis Brisbois Bisgaard & Smith.
“You’re seeing less than the smallest tip of the iceberg in incidents,” Ballod said.
He said that the most sophisticated threat actors are always looking at Big Law firms given the amount of sensitive data they possess. Third-party service providers these law firms often use are also potential targets.
Breach concerns at law firms may be even higher than in other industries, because law is such a trust-based business, according to Ballod.
“So a breach of privacy, any incident at all that could implicate the sanctity of client data is potentially catastrophic, it destroys or damages that carefully crafted brand,” he said.