Cyber Incident Victim: DeCotiis, FitzPatrick, Cole & Giblin, LLP
Date:
Apr 2020
Location:
United States of America
Summary
A New Jersey law firm experienced unauthorized access to employee email accounts over a limited timeframe, discovered during an investigation into suspicious activity. The breach potentially exposed emails and attachments containing sensitive client and individual information, including names, dates of birth, Social Security numbers, and driver’s license or state identification details. Following discovery, the firm secured affected accounts, engaged forensic experts to assess the incident, and conducted extensive reviews to identify impacted parties. While no actual misuse was reported, the organization implemented additional security measures, enhanced employee training, and offered credit monitoring to affected individuals. Regulatory notifications were also initiated as part of the response efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or about May 4, 2020, DeCotiis, FitzPatrick, Cole & Giblin, LLP (DFCG) detected suspicious activity in an employee email account, prompting immediate steps to secure the account and initiate an investigation with third-party IT experts and forensic investigators. The investigation determined that an unauthorized actor accessed certain employee email accounts during separate periods between April 28, 2020, and May 8, 2020, potentially exposing emails and attachments within those accounts. While the investigation confirmed unauthorized access to the accounts, it could not verify whether specific emails or attachments were viewed or exfiltrated by the threat actor. Between May 4 and the completion of the forensic review, DFCG focused on containment by resetting compromised account passwords and verifying the security of email systems. By September 16, 2020, DFCG concluded a programmatic and manual review of the impacted email accounts to identify the types of sensitive information present, which revealed names, dates of birth, Social Security numbers, and driver’s license or state identification numbers belonging to current or former clients and individuals involved in legal matters handled by the firm.
The breach exposed personal data but yielded no reports of actual or attempted misuse as of March 22, 2021. DFCG notified affected individuals, offering credit monitoring services and establishing a dedicated assistance line for inquiries. The firm also committed to notifying state regulators as required by law. In response to the incident, DFCG reviewed and reinforced its existing security policies, implemented additional safeguards, and expanded employee training on data privacy and security practices. The delayed notification timeline—from the May 2020 discovery to the March 2021 public notice—reflected the extensive forensic review and internal file analysis required to identify impacted individuals and their contact information. DFCG emphasized its ongoing efforts to secure client data but did not disclose technical details about the attack vector, the number of affected accounts, or whether ransomware or malware was involved in the compromise.