Cyber Incident Victim: Baker Wotring
Date:
Feb 2020
Location:
United States of America
Summary
A Texas-based law firm experienced a significant cybersecurity breach when the hacking group Maze infiltrated its systems and publicly released a comprehensive data dump containing sensitive client information, including fee agreements and personal injury case diaries. The incident occurred as part of a broader campaign targeting multiple law firms, with Maze typically demanding ransoms between $1 million and $2 million to prevent data exposure. While the firm's compromised data was fully disclosed by the attackers, another unrelated legal practice concurrently addressed suspicious network activity by taking systems offline but reported no evidence of client data compromise at that stage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 10, 2020, the Texas-based law firm Baker Wotring experienced a significant cybersecurity incident involving the unauthorized access and public exposure of sensitive internal data by the hacking group Maze. The 11-attorney firm, specializing in personal injury cases, had its operational documents systematically compromised, including confidential fee agreements and case diaries containing client-related information. Maze publicly announced the breach as a "full dump" of the firm's data, indicating the comprehensive extraction and publication of stolen materials. This action aligned with Maze's established ransomware tactics, wherein the group infiltrates networks, exfiltrates sensitive data, and threatens public release unless victims pay ransoms typically ranging from $1 million to $2 million. Baker Wotring was identified as one of at least five law firms targeted by Maze in a concentrated campaign beginning the prior month, reflecting the group's deliberate focus on legal sector vulnerabilities. The publication of internal documents exposed case-specific details that could compromise client confidentiality and legal strategies.
The incident's immediate impact centered on the irreversible exposure of proprietary and client-associated records, with no public indication that Baker Wotring recovered or secured the leaked data. Unlike contemporaneous breaches at other firms, such as Wilson Elser Moskowitz Edelman & Dicker—which contained its incident through network isolation—Baker Wotring's data release demonstrated Maze's follow-through on extortion threats when ransoms were unmet. The compromised materials revealed granular operational practices, including billing structures and litigation timelines, potentially undermining ongoing cases and client trust. Maze's operational pattern suggested the group had maintained persistent network access prior to the data dump, though the specific intrusion vector and duration of unauthorized access remained undisclosed. No remediation efforts or forensic findings by Baker Wotring were documented in available reports, leaving the breach's full technical scope and post-incident response unclear. The firm's inclusion in Maze's multi-firm targeting spree highlighted systemic cybersecurity risks within smaller legal practices handling high-stakes litigation data.