Cyber Incident Victim: New York City Bar Association
Date:
Jan 2023
Location:
United States of America
Summary
The New York City Bar Association experienced a ransomware attack by the CL0P gang, which claimed to have exfiltrated over 1.8 terabytes of data including client, employee, and case information while encrypting systems. The attackers publicly criticized the organization for inadequate security practices and leaked passport documents of unidentified individuals, though the context for their possession remained unclear. Despite the breach occurring weeks prior, the association had not publicly acknowledged the incident or confirmed whether affected parties or regulators were notified at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around mid-December 2022, the CL0P ransomware gang executed an attack against the New York City Bar Association, compromising their systems and exfiltrating over 1.8 terabytes of data. The attackers encrypted the organization’s systems, rendering them inaccessible, but the Bar Association did not publicly disclose the incident at the time. CL0P publicly claimed responsibility for the attack on January 13, 2023, by adding the NYC Bar Association to their data leak site. In their announcement, the threat actors accused the organization of failing to adequately protect client, employee, and case-related data, alleging negligence in cybersecurity responsibilities. They emphasized the scale of the breach by stating the data volume necessitated staggered releases over several weeks and criticized the Bar Association for attempting to conceal the incident rather than notifying affected parties.
As evidence supporting their claims, CL0P published a redacted screenshot of an internal file directory from the Bar Association’s systems, though the specific contents were not detailed in available reports. Additionally, the group leaked screenshots of passports belonging to unidentified individuals, raising questions about why the legal organization possessed such documents. CL0P threatened legal repercussions and regulatory fines against the Bar Association, framing their actions as consequences for inadequate data protection practices. At the time of the initial public disclosure, the NYC Bar Association had not issued any statements regarding the attack, its impact, or notifications to regulators, employees, or clients whose data was potentially exposed. DataBreaches.net contacted the organization for clarification on these points but received no immediate response, leaving the scope of data exposure, operational disruptions, and remediation efforts unconfirmed by the victim organization. The incident highlighted potential risks to sensitive legal and personal information held by professional associations.