Cyber Incident Victim: New York City Bar Association

In 2020, multiple legal organizations disclosed data breaches linked to third-party vendor compromises. Cadwalader, Wickersham & Taft reported that a March ransomware attack against TBG West Insurance – a vendor handling employee data – potentially exposed personal information of current and former staff. The law firm confirmed in July that Social Security numbers might have been copied during the incident, though its internal systems and client data remained unaffected. Separately, the New York City Bar Association and Chicago Bar Association notified Maryland’s attorney general about unauthorized code injections on their websites through third-party software, which may have harvested visitors’ credit card details. These breaches were identified through mandatory regulatory filings with Massachusetts and Maryland authorities, with Law.com first reporting the disclosures in November 2020.

The incidents highlighted supply chain vulnerabilities across legal entities. Cadwalader emphasized the breach originated solely within its vendor’s infrastructure, requiring no internal system remediation. Both bar associations indicated the compromise stemmed from external software components integrated into their web platforms, though neither specified the vendor involved or precise timelines beyond the 2020 reporting window. No operational disruptions or client data exposures were reported by any organization. Regulatory filings confirmed potential access to sensitive employee and financial information, triggering breach notifications consistent with state disclosure laws. The ransomware attack on TBG West Insurance represented one of several third-party incidents affecting law firms that year, following similar disclosures by Seyfarth Shaw and Fragomen.