Cyber Incident Victim: Jones Day
Date:
Apr 2026
Location:
United States of America
Summary
Jones Day was targeted by the Silent Ransom Group, which released data belonging to ten of the firm’s clients. The incident highlighted the heightened cybersecurity risks facing law firms and triggered review of ethical duties to safeguard client information, provide timely breach notice, and supervise vendors. It also underscored potential regulatory obligations under state and federal breach‑notification laws and the possibility of class‑action litigation alleging negligence, breach of implied contract, and fiduciary duty. Firms are reminded that failure to implement reasonable protections may lead to disciplinary action, enforcement penalties, and civil liability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Law firms are especially attractive targets for data breaches due to the volume and sensitivity of the information they hold. In April 2026, Jones Day became the latest victim of the Silent Ransom Group, a hacking ring known for posting stolen data. The Silent Ransom Group released data belonging to ten of Jones Day’s clients. The article does not specify the types of data that were exposed. The incident occurred amid a broader trend of cyberattacks targeting legal practices. Bloomberg Law reported the incident on May 19, 2026.
The posting of client data raises potential notice obligations under various state and federal breach‑notification laws. Firms that experience such breaches must evaluate whether they know or should reasonably know that a breach has occurred and notify affected clients if material information is involved. The article notes that failure to provide timely notice can increase the risk of identity theft and may give rise to class‑action claims. It also mentions that affected individuals may pursue claims for negligence, breach of implied contract, or breach of fiduciary duty. The article cites examples of settlements in other law‑firm breach cases to illustrate possible financial consequences. No further details about Jones Day’s specific response, containment measures, or remediation are provided in the source.