Cyber Incident Victim: Hollingsworth LLP
Date:
Jun 2021
Location:
United States of America
Summary
A major U.S. law firm suffered a significant data breach when cybercriminals affiliated with the 'Marketo' dark web marketplace exfiltrated 58GB of sensitive information, subsequently listing it for auction. The stolen data included client-related legal documents, financial records, and communications, with threat actors leveraging the marketplace's unique bidding system to intensify pressure on the victim through potential acquisition by competitors or malicious third parties. This incident aligns with a broader trend of cyberattacks targeting legal entities due to their repositories of confidential client data, as evidenced by prior breaches involving other prominent firms compromised via ransomware operations and exploited vulnerabilities in third-party services. The FBI has highlighted the growing threat of such ransomware activities, seeking increased funding to enhance cybercrime response capabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 25, 2021, cybercriminals operating the 'Marketo' dark web marketplace announced the theft and sale of 58GB of data from Hollingsworth, LLP, a major U.S.-based law firm. The announcement first appeared on the threat actors' Telegram channel at 7:14 AM Pacific Standard Time. Marketo positioned itself not as a traditional ransomware group encrypting systems, but as a specialized marketplace facilitating the auction of stolen data, with 3,248 registered users participating in bids. The Hollingsworth data listing attracted 71 bids on its first day of publication. This incident followed Marketo's prior publication of stolen data from the Clearfield Borough Police Department (Pennsylvania) and the Municipal Court of Princeton (West Virginia), which included 28GB of sensitive legal documents such as appeal letters, tax records, client agreements, and internal communications. Marketo's operators commented on the vulnerabilities in U.S. judicial system security, though their specific motivations for targeting law firms remained unclear.
The breach exposed Hollingsworth to significant reputational and operational risks due to the sensitive nature of legal client data typically held by major firms. This incident continued a pattern of attacks against legal sector targets, including the 2020 REvil ransomware attack on Grubman Shire Meiselas & Sacks that compromised 756GB of celebrity client data, and the February 2021 Clop ransomware breach of Jones Day through an Accellion file transfer vulnerability. Unlike these encryption-based attacks, Marketo's model focused exclusively on data exfiltration and monetization through competitive bidding, increasing pressure on victims by enabling unknown third parties—including potential competitors—to acquire and misuse stolen information. The FBI responded to the escalating threat landscape by requesting $40 million in additional fiscal 2022 funding during Senate testimony, specifically citing ransomware and cybercrime as critical priorities requiring enhanced investigative resources. Marketo's victim portfolio expanded to include over 45 organizations across multiple sectors, including Siemens Gamesa Renewable Energy, Navistar, and The City University of New York, demonstrating the broad targeting strategy of the marketplace operators.