Cyber Incident Victim: Clark Patterson Lee
Date:
Jun 2022
Location:
United States of America
Summary
Clark Patterson Lee experienced a ransomware attack involving unauthorized encryption of network files, leading to potential access of sensitive consumer data. The architecture and engineering firm engaged cybersecurity experts, confirming that an intruder accessed certain files containing personal information over a two-day period. Following an internal review identifying affected individuals, CPL issued breach notification letters, with compromised data likely including Social Security numbers or financial details based on regulatory reporting standards. The incident underscores ransomware threats where attackers encrypt files to extort payments, though the firm did not publicly confirm whether data was exfiltrated or a ransom demanded.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 10, 2022, Clark Patterson Lee detected a potential network security incident when certain files on its network appeared encrypted, prompting the company to engage external cybersecurity professionals for investigation. The investigation determined an unauthorized actor accessed specific files on CPL’s servers between June 9 and June 10, 2022. CPL confirmed that compromised files contained sensitive consumer information, though the company did not publicly specify the exact data types involved. By July 28, 2022, CPL completed its review of affected files to identify impacted individuals and the nature of the exposed information. The firm reported the breach to the Office of the Attorney General of Vermont and initiated consumer notifications on August 15, 2022, consistent with state data breach reporting protocols. CPL, a Latham-based architecture and engineering firm with 434 employees and $175 million annual revenue, did not disclose whether operational systems beyond file encryption were disrupted or whether data exfiltration occurred.
The encryption of files during the incident strongly indicated a ransomware attack, though CPL did not explicitly confirm this attribution. Ransomware typically involves malware that encrypts victim data, demanding payment for decryption, with some threat actors additionally threatening to publish stolen data. CPL’s breach notification letters referenced file encryption as the initial detection trigger but omitted details on ransom demands, payments, or data publication threats. The company’s response included securing external cybersecurity support, conducting a two-month file review, and complying with breach notification requirements. No information was provided regarding the number of affected individuals, specific data elements confirmed as compromised, or remediation measures offered to victims. The incident exposed sensitive consumer data for two days before detection, with breach notifications issued 66 days after the initial intrusion and 36 days after completing the file review.