Legal Business Blogs

Allen & Overy suffers ‘data incident’ as ransomware group LockBit claims responsibility

Allen & Overy has confirmed that it has suffered a ‘data incident’. Posts from X user and self-described ‘threat intelligence platform for cybersecurity’ @FalconFeedsio on Wednesday 8 November suggested that cybercriminal group LockBit had targeted the firm, with a threat to release ‘all available data’ by 28 November.

‘We have experienced a data incident impacting a small number of storage servers’, said an A&O spokesperson. ‘Investigations to date have confirmed that data in our core systems, including our email and document management system, has not been affected.

‘The firm continues to operate normally with some disruption arising from steps taken to contain the incident.’

The firm claims that the incident is under control: ‘Our technical response team, working alongside an independent cybersecurity adviser, took immediate action to isolate and contain the incident. Detailed cyber forensic work continues to investigate and remediate the incident.

‘As a matter of priority, we are assessing exactly what data has been impacted, and we are informing affected clients. We appreciate that this is an important matter for our clients, and we take this very seriously. Keeping our clients’ data safe, secure, and confidential is an absolute priority.’

A&O declined to comment further. The firm did not respond to requests to confirm LockBit’s involvement.

In June, GCHQ’s National Cyber Security Centre (NCSC) issued a joint advisory alongside agencies from the United States, Australia, Canada, France, Germany, and New Zealand stating that LockBit was ‘almost certainly the most deployed ransomware strain in the UK and that it continues to present the highest ransomware threat to UK organisations.’

LockBit hit Royal Mail with a ransomware attack in January and leaked Royal Mail’s data on 23 February after Royal Mail refused to pay both an initial ransom demand of £66m and a subsequent demand for £47m. The cybercriminal group also announced that it had hit Boeing in late October. Boeing confirmed the cyberattack in early November and was re-added to LockBit’s list of victims on 7 November after disappearing from the list on 30 October, according to FalconFeeds.

The SRA in June 2022 issued a risk outlook report entitled ‘Information security and cybercrime in a new normal’. In the report, it noted that ‘increased dependence on IT’ since the Covid-19 pandemic ‘creates more opportunities for cybercriminals.’

A&O is not the first major firm to suffer from a data breach. DLA Piper was shut down by a cyberattack in 2017. And in June, ransomware group CL0P posted the names of Kirkland & Ellis, K&L Gates, and Proskauer Rose to its leak site, although none of the firms responded to requests for comment.

BCLP, meanwhile, discovered it had been hacked in late February, in a breach that exposed the personal data of more than 50,000 current and former employees of client Mondelēz International. In June, a class action suit was filed against BCLP in the Northern District of Illinois. The case remains ongoing. BCLP did not respond to requests for comment.

‘These [data breaches] are causing a tremendous amount of harm’, said Thomas Zimmerman, an attorney at Chicago-based Zimmerman Law Offices, which is bringing the class action against BCLP. ‘Clients I represent who have had data stolen have dealt with loans being opened up in their names, their credit score hijacked, mortgages opened up in their names for homes. And they’re stuck with it, you can’t change a social security number like you can open a new bank account, people suffer the consequences for years.’

There has never been a data breach group action litigated in an English court. The prospects for bringing such a claim are complicated by the fact that opt-out claims can currently only be brought in England at the Competition Appeals Tribunal (CAT). And many in the market are sceptical that a data breach claim could be adequately formulated as a competition claim.

The A&O data breach was first reported in the Financial Times.