Cyber Incident Victim: Chicago Bar Association

In March 2020, a ransomware attack targeted TBG West Insurance, a vendor used by Cadwalader, Wickersham & Taft, potentially exposing personal information of the BigLaw firm's current and former employees. Cadwalader learned in July 2020 that Social Security numbers might have been compromised during this incident, though the breach did not affect the firm's internal systems or client data. Separately, the New York City Bar Association and Chicago Bar Association discovered unauthorized code injections on their websites through third-party software, which may have harvested visitors' credit card information. These bar associations reported their breaches to the Maryland attorney general’s office, with Law.com uncovering these filings in November 2020 alongside Cadwalader’s notification to Massachusetts regulators. The attacks collectively demonstrated vulnerabilities in third-party vendor security across legal sector entities.

The Chicago Bar Association breach specifically involved malicious code inserted via external software providers, directly threatening financial data security for website users. Cadwalader emphasized that their exposure stemmed entirely from their vendor’s compromised systems, not their own infrastructure. No operational disruptions or client data losses were reported by the law firm or bar associations. Public disclosures focused on potential data access rather than confirmed misuse, with notifications fulfilling state regulatory requirements in Massachusetts and Maryland. The incidents highlighted parallel security challenges: ransomware targeting vendor networks and web skimming attacks exploiting third-party website integrations.