Cyber Incident Victim: Proskauer Rose LLP

On or around May 27, 2023, Proskauer Rose LLP experienced a data security incident. The incident was part of a larger, global attack campaign that exploited a vulnerability in the MOVEit file transfer software. The ransomware group known as Clop, also referred to as TA505, claimed responsibility for the broader attack, which affected numerous multinational corporations, including the law firms Kirkland & Ellis and K&L Gates. This group, believed to have ties to Russia, often conducts attacks around holidays, and this particular exploitation occurred during the Memorial Day weekend in the United States. The attackers, who identify themselves as "Lance Tempest," unlawfully acquired data from Proskauer's MOVEit instance.

The specific data compromised at Proskauer Rose was contained within documents in the firm's possession relating to a transaction for its client, Apogem Capital. An unauthorized third party exfiltrated this data. Proskauer became aware of the vulnerability and promptly terminated its MOVEit instance upon learning of the issue. The firm then engaged leading cybersecurity and forensic experts to conduct a full investigation into the incident. The purpose of this investigation was to determine the scope of the compromised data and to identify which individuals were affected in order to provide them with notification.

The investigation determined that the personal information of individuals was affected. The compromised data included names and addresses. Proskauer stated that there was no indication of identity theft or fraud resulting from the event at the time of their notification. The firm undertook a process to notify affected individuals directly via mail. These notification letters, dated August 28, 2023, provided details about the incident and the steps Proskauer was taking in response. The scale of the broader MOVEit attack campaign was significant, with a cybersecurity expert estimating that more than 16 million people may have been affected across all the victim organizations, which included universities, banks, and insurance companies in addition to law firms.

In its response, Proskauer offered affected individuals access to 24 months of complimentary credit monitoring and identity restoration services through Experian. The enrollment deadline for this service was set for November 30, 2023. The services offered included daily credit monitoring from all three major credit bureaus—Experian, Equifax, and TransUnion. It also provided identity restoration support from specialists, who were made available to help address both credit and non-credit related fraud. This support included assistance with disputing charges, placing credit freezes, and contacting government agencies. Furthermore, the offering included up to $1 million in identity theft insurance, underwritten by American Bankers Insurance Company of Florida. Proskauer established a dedicated toll-free number for affected individuals to call with additional questions and provided them with a specific engagement number to reference.

The notification letters also contained extensive additional resources and recommendations for individuals to protect themselves, though these were presented as general guidance and not as an admission of specific risk from this incident. These resources included information on how to obtain free credit reports, place initial or extended fraud alerts on credit files, and initiate security freezes. The letters also summarized consumer rights under the Fair Credit Reporting Act (FCA) and provided contact information for the Federal Trade Commission and major credit reporting agencies. The Clop group behind the attack is known for demanding millions of dollars in extortion fees from its victims. In a related development, the U.S. State Department had previously placed a $10 million bounty on the group's leader, seeking information tying the group to a foreign government. The incident at Proskauer Rose represents a single instance within a widespread exploitation of a zero-day vulnerability in a commonly used enterprise file transfer tool, leading to a significant compromise of personal data across a global landscape of victims.