By Carl Mazzanti, CEO, eMazzanti 

The current cyber landscape is not “hotter” because AI exists—it is faster and more dangerous because AI allows attackers to move at unprecedented speed. Tasks that once took days—mapping networks, crafting targeted phishing, automating intrusion—now happen in minutes. This has created a threat environment where a breach can begin and escalate before internal teams even notice the first anomaly. 

More critically, firms today may have a “sleeping giant” inside their network: a silent compromise, dwell time from an attacker, or a misconfigured system waiting to be exploited. What you don’t see can hurt you—sometimes months after the initial intrusion. 

While headlines focus on large global firms, the same dynamics apply to small and midsize practices, which often operate with fewer security resources, less segmentation, and limited 24/7 monitoring. 

1. Kirkland & Ellis: $100M+ (2023)

In May 2023, over Memorial Day weekend, hackers exploited a vulnerability in MOVEit Transfer—file transfer software made by Progress Software—compromising data from more than 50 corporations and 16 million individuals. Kirkland & Ellis was among 2,600 companies affected, according to Above the Law and Bloomberg Law. 

What Was Missing: According to court documents reviewed by Reuters, there was no vendor security advisory monitoring system to track critical updates during non-business hours. No emergency patch deployment protocol existed for holiday weekends. 

Kirkland didn’t notify affected client Trilogy until October—five months after the breach, according to court filings reviewed by Above the Law. More than 100 lawsuits were filed. Estimated total costs: $100M+ 

2. Orrick, Herrington & Sutcliffe: $15M+ (2023)

Orrick discovered in March 2023 that unauthorized access had occurred between November 2022 and March 13, 2023, affecting 637,620 individuals, according to HIPAA Journal and BankInfoSecurity. 

What Was Missing: The intrusion went undetected for approximately four months, according to HIPAA Journal. There was no 24/7 security monitoring system. Network segmentation was not implemented to limit lateral movement. 

Orrick agreed to an $8 million settlement, plus credit monitoring for 637,000+ individuals, as reported by Bloomberg Law and confirmed by the ABA Journal. Total costs: $15-20M. 

3. Jones Day: $20M+ (2021)

Jones Day experienced a breach when attackers exploited vulnerabilities in Accellion FTA, a file transfer application. Approximately 100GB of data was accessed, according to Flashpoint and Bloomberg Law. Accellion FTA was legacy software that reached end-of-life in April 2021. 

What Was Missing: The firm lacked a technology lifecycle management process to track software end-of-life dates and plan timely migrations, as noted by Axel. 

The data was subsequently published on dark web forums, as reported by Hackread and Threatpost. Estimated costs: $15-25M 

4. Grubman Shire Meiselas & Sacks: $15M+ (2020)

In May 2020, this entertainment law firm was affected by REvil ransomware. According to Variety and Arctic Wolf, 756GB of data was exfiltrated and attackers demanded $21 million, later increasing to $42 million as reported by CPO Magazine. 

What Was Missing: Security experts noted the absence of advanced endpoint detection and response (EDR) systems, network segmentation, and offline immutable backup systems, according to EPIC Insurance Brokers. Estimated costs: $10-15M 

5. Bryan Cave Leighton Paisner: $8M (2023)

Between February 23 and March 1, 2023, unauthorized access exposed information from 51,110 employees of client Mondelēz International, according to ClassAction.org. 

What Was Missing: Court documents indicated the firm lacked a practiced incident response plan. Individual notifications were delayed 113 days after initial detection. 

The settlement totaled $750,000, according to Top Class Actions and Law360. Total costs: $5-8M 

 Small Firms Aren’t Immune: Local Breaches Hit Home 

The notion that only large firms are targeted is a dangerous myth. Recent breaches in the New York-New Jersey area prove small practices face identical risks—often with more devastating consequences. 

Wacks Law Group: A Six-Attorney Firm’s $2M+ Nightmare 

In March 2024, Wacks Law Group—a Whippany, New Jersey estate planning firm with just six attorneys—was hit by ransomware. The attack, detected March 9, exposed Social Security numbers, driver’s licenses, and confidential documents, according to ClassAction.org. 

The Qilin ransomware group claimed responsibility, as reported by the New Jersey Law Journal. But the firm’s five-month delay in notifying victims—not until August—triggered a class-action lawsuit. According to the suit detailed by ClassAction.org, the delay gave criminals a substantial head start in exploiting stolen data. Estimated costs: $2-3M+ 

Stress-Test & Future-Proof Your Legal Practice

Curious where your firm stands today?
Take our 5-minute assessment: Stress-Test & Future-Proof Your Legal Practice.  

You’ll get: 

• A score across cycle time, reuse, and risk posture 

• A tailored 90-day modernization plan 

• Benchmarks vs. peer firms and ROI levers you can act on now 

It is free, get it here. 

Genova Burns: The Third-Party Trap 

In January 2023, mid-sized Newark firm Genova Burns discovered hackers had accessed Uber driver data it held as legal counsel. The breach, occurring between January 23-31, compromised Social Security and tax ID numbers of New Jersey Uber drivers, according to The Register. 

The case illustrates cascade risk: law firms holding client data become attack vectors. BreachLock noted the irony—Genova Burns had been hired to help Uber respond to a previous breach. According to Black Kite, 29% of 2023 breaches were third-party attacks. 

Why Smaller Firms Face Greater Risk 

These New Jersey cases prove firm size is irrelevant to attackers. The New Jersey Law Journal reported that 35% of firms with 10-49 attorneys experienced breaches, compared to 22% of firms with 500+ attorneys. 

Smaller practices hold identical sensitive data but operate with limited IT capacity, delayed patching, minimal segmentation, no 24/7 monitoring, and reactive incident response. According to Embroker, these weaknesses make small firms easier targets. 

More critically, a $2-3M breach can threaten a small firm’s survival, while a $100M breach is manageable for a global firm with billions in revenue. 

Common Patterns Across All Five Cases 

According to the American Bar Association, 29% of law firms reported a security breach in 2023, up from 27% in 2022, as documented by imageOne. Federal data breach class action lawsuits increased 154%—from 13 per month to 33 per month. 

These five cases involved combined costs exceeding $150M. Analysis reveals consistent patterns: 

Pattern 1: Vendor Monitoring Gaps – Critical security updates during holiday weekends went untracked (Kirkland). 

Pattern 2: Detection Delays – Four months undetected (Orrick). Real-time monitoring with SIEM systems and 24/7 coverage can reduce detection time from months to hours, according to Threat Intelligence. 

Pattern 3: Legacy System Risks – End-of-life software (Jones Day) becomes critical vulnerability. 

Pattern 4: Backup Limitations – Without offline immutable backups (Grubman), ransomware eliminates recovery options. 

Pattern 5: Incident Response Gaps – Extended notification timelines (Bryan Cave’s 113 days) increase legal liability and harm. 

 Key Takeaways 

1. Holiday vulnerabilities are real – Kirkland’s Memorial Day breach occurred when security protocols weren’t active. 
2. Detection speed matters – Four months undetected (Orrick) versus immediate detection determines breach severity. 
3. Legacy systems create risks – End-of-life software (Jones Day) becomes security liability. 
4. Backup strategy is crucial – Without offline backups (Grubman), ransomware forces impossible choices. 
5. Notification delays have consequences – Extended timelines (Bryan Cave’s 113 days, Wacks Law Group’s five months) increase liability and harm. 
6. Firm size is irrelevant – Six-attorney practices to global firms all hold valuable data. Threat Intelligence reports 65% of firms experienced cyber incidents. 
7. Third-party risk affects everyone – Firms holding client data (Genova Burns) become attack vectors requiring equal security standards. 

Legal Disclaimer 

This article is based exclusively on publicly available information including court filings, regulatory disclosures, breach notification letters, SEC filings, and reporting by established legal news sources including Bloomberg Law, Law.com, The American Lawyer, and Above the Law. All incidents described have been documented in public records. This article presents factual reporting on data security incidents for educational purposes and does not constitute legal advice. Readers should consult qualified legal and cybersecurity professionals for advice specific to their situations. 

Sources 

Kirkland & Ellis (Case 1) 

1. Above the Law. “Kirkland Sued In Class Action Case Over 2023 Ransomware Attack.” June 10, 2024. https://abovethelaw.com/2024/06/kirkland-sued-in-class-action-case-over-2023-ransomware-attack/ 

1. Bloomberg Law. “Kirkland & Ellis Targeted in Massive MOVEit Data Breach Lawsuit.” June 10, 2024. https://news.bloomberglaw.com/business-and-practice/kirkland-ellis-targeted-in-massive-moveit-data-breach-lawsuit 

1. Reuters. “Law firm Kirkland sued in class action over MOVEit data breach.” June 10, 2024. https://www.xm.com/au/research/markets/allNews/reuters/law-firm-kirkland-sued-in-class-action-over-moveit-data-breach-53857385 

1. Canadian Lawyer. “Kirkland & Ellis faces lawsuit over data breach involving MOVEit software.” June 18, 2024. https://www.canadianlawyermag.com/news/international/kirkland-ellis-faces-lawsuit-over-data-breach-involving-moveit-software/386829 

Orrick, Herrington & Sutcliffe (Case 2) 

1. HIPAA Journal. “Orrick, Herrington & Sutcliffe Data Breach Affected 637,000 Individuals.” April 15, 2024. https://www.hipaajournal.com/orrick-herrington-sutcliffe-data-breach/ 

1. HIPAA Journal. “Orrick, Herrington & Sutcliffe Agree $8 Million Settlement.” November 13, 2024. https://www.hipaajournal.com/orrick-herrington-sutcliffe-8-million-settlement/ 

1. BankInfoSecurity. “Court Finalizes $8M Settlement in Orrick Data Breach Litigation.” November 2024. https://www.bankinfosecurity.com/court-finalizes-8m-settlement-in-orrick-data-breach-litigation-a-26793 

1. Bloomberg Law. “Orrick Gains Approval for $8 Million Settlement in Breach Suit.” November 8, 2024. https://news.bloomberglaw.com/privacy-and-data-security/orrick-gains-approval-for-8-million-settlement-in-breach-suit-6 

1. ABA Journal. “Judge gives final OK to $8M settlement in Orrick data breach.” November 2024. https://www.abajournal.com/news/article/judge-gives-final-ok-to-8m-settlement-in-orrick-data-breach 

1. ClassAction.org. “Orrick, Herrington & Sutcliffe Data Breach Lawsuit.” August 28, 2024. https://www.classaction.org/orrick-herrington-sutcliffe-lawsuit 

1. Top Class Actions. “$8M Orrick, Herrington and Sutcliffe data breach class action settlement.” October 21, 2024. https://topclassactions.com/lawsuit-settlements/closed-settlements/8m-orrick-herrington-and-sutcliffe-data-breach-class-action-settlement/ 

Jones Day (Case 3) 

1. Flashpoint. “Law Firm Jones Day Hit with Ransomware Attack, Third-Party Accellion Software Blamed.” May 31, 2023. https://flashpoint.io/blog/jones-day-ransomware-attack-third-party-accellion-blamed/ 

1. Bloomberg Law. “Jones Day Hit by Data Breach as Vendor Accellion Hack Widens.” February 17, 2021. https://news.bloomberglaw.com/business-and-practice/jones-day-hit-by-data-breach-as-vendor-accellion-hacks-widen 

1. Axel. “The Jones Day Law Firm Data Breach Serves as a Warning for Others.” May 21, 2021. https://www.axel.org/2021/05/21/the-jones-day-law-firm-data-breach-serves-as-a-warning-for-others/ 

1. Hackread. “Clop ransomware gang leaks Jones Day law firm data on dark web.” February 17, 2021. https://hackread.com/clop-ransomware-gang-jones-day-dark-web-data-leak/ 

1. Threatpost. “Stolen Jones Day Law Firm Files Posted on Dark Web.” February 18, 2021. https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/ 

1. CPO Magazine. “Jones Day Law Firm Associated With Donald Trump Leaks Confidential Client Information in a Third-Party Data Breach.” February 27, 2021. https://www.cpomagazine.com/cyber-security/jones-day-law-firm-associated-with-donald-trump-leaks-confidential-client-information-in-a-third-party-data-breach/ 

Grubman Shire Meiselas & Sacks (Case 4) 

1. Variety. “Hackers Demand $21M in Ransomware Attack on Entertainment Law Firm.” May 13, 2020. https://variety.com/2020/digital/news/hackers-21-million-ransom-grubman-shire-meiselas-sacks-entertainment-law-firm-1234606193/ 

1. Arctic Wolf. “Grubman Shire Meiselas & Sacks and the Lady Gaga Data Leak.” March 7, 2024. https://arcticwolf.com/resources/blog/legal-cybersecurity-grubman-shire-meiselas-sacks/ 

1. CPO Magazine. “Ransomware Attack Hits One Public Figure After Another.” May 23, 2020. https://www.cpomagazine.com/cyber-security/ransomware-attack-hits-one-public-figure-after-another/ 

1. EPIC Insurance Brokers. “Grubman Shire Meiselas Ransomware Attack.” December 2, 2024. https://www.epicbrokers.com/insights/grubman-shire-meiselas-sacks-attack/ 

1. Infosecurity Magazine. “Law Firm to the Stars Confirms Ransomware Attack.” March 13, 2024. https://www.infosecurity-magazine.com/news/law-firm-to-the-stars-confirms/ 

Bryan Cave Leighton Paisner (Case 5) 

1. Top Class Actions. “$750K Mondelēz data breach class action settlement.” February 17, 2025. https://topclassactions.com/lawsuit-settlements/closed-settlements/750k-mondelez-data-breach-class-action-settlement/ 

1. Law360. “Mondelez, BCLP Ink $750K Deal To End Data Breach Suits.” October 4, 2024. https://www.law360.com/articles/1887194/mondelez-bclp-ink-750k-deal-to-end-data-breach-suits 

1. ClassAction.org. “Court Preliminarily Approves $750K Mondelēz, BCLP Settlement.” January 16, 2025. https://www.classaction.org/news/court-preliminarily-approves-750k-mondelz-bclp-settlement-resolving-data-breach-lawsuits 

1. ABA Journal. “Client’s employees seek approval of data breach settlement after BigLaw firm hack.” October 2024. https://www.abajournal.com/news/article/biglaw-firm-and-client-agree-to-settlement-in-data-breach-suit-by-clients-employees 

Wacks Law Group (NJ Small Firm) 

1. ClassAction.org. “Wacks Law Group Failed to Protect Private Data from Hackers, Class Action Claims.” September 10, 2024. https://www.classaction.org/news/wacks-law-group-failed-to-protect-private-data-from-hackers-class-action-claims 

1. New Jersey Law Journal. “A Law Firm Was Hacked. Now It Faces a Class Action Lawsuit.” August 23, 2024. https://www.law.com/njlawjournal/2024/08/23/a-law-firm-was-hacked-now-it-faces-a-class-action-lawsuit/ 

1. Strauss Borrelli PLLC. “The Wacks Law Group Data Breach Investigation.” August 6, 2024. https://straussborrelli.com/2024/08/06/the-wacks-law-group-data-breach-investigation/ 

Genova Burns (NJ Mid-sized Firm) 

1. The Register. “Uber driver info stolen in yet another third-party breach.” April 3, 2023. https://www.theregister.com/2023/04/03/uber_drivers_info_stolen/ 

1. BreachLock. “Third Party Security Breach Is Uber’s Third Breach in 6 Months.” March 26, 2024. https://www.breachlock.com/resources/blog/third-party-security-breach-is-ubers-third-breach-in-6-months/ 

1. Black Kite. “Uber’s Third Data Breach: What You Need to Know.” April 6, 2023. https://blackkite.com/research/ubers-third-data-breach-what-you-need-to-know/ 

1. Infosecurity Magazine. “Uber Drivers’ Data Exposed in Breach of Law Firm’s Servers.” April 2023. https://www.infosecurity-magazine.com/news/uber-data-exposed-law-firm-breach/ 

Industry Statistics and Analysis 

1. imageOne. “Top Law Firm Data Breaches and Cyberattacks.” February 28, 2025. https://www.imageoneway.com/blog/law-firm-data-breaches 

1. Threat Intelligence. “Inside the Breach: Real-Life Tales of Law Firm Hacks.” September 5, 2024. https://www.threatintelligence.com/blog/law-firm-data-breach 

1. Embroker. “Biggest law firm cyber attacks and trends.” September 11, 2024. https://www.embroker.com/blog/law-firm-cyber-attacks/