Cyber Incident Victim: EY Law LLP

On May 27, 2023, EY Law LLP, a commercial entity based at 100 Adelaide Street West in Toronto, Ontario, with a zip code of M5H 0B3, experienced a significant external system breach. The incident was an act of hacking that resulted in unauthorized access to the firm's systems. The breach was not discovered until four days later on May 31, 2023, indicating a period where the attackers potentially had undetected access to sensitive information. The discovery of the breach initiated the organization's incident response protocols, leading to an investigation to determine the full scope and impact of the unauthorized access.

The investigation confirmed that the breach resulted in the acquisition of sensitive personal information. The specific information acquired was names or other personal identifiers in combination with Social Security Numbers. This type of data is highly sensitive and is frequently targeted by cybercriminals due to its value in committing identity theft and financial fraud. The compromise of such information poses a direct and significant risk to the individuals affected.

The total number of persons affected by this data security incident was 1,653. This figure includes individuals from various locations, with the breach impacting a total of three residents of the state of Maine. Because the number of affected Maine residents was well below the 1,000-person threshold that triggers a specific regulatory requirement, the entity was not obligated to notify consumer reporting agencies about the breach incident under that particular statute. The focus then turned to notifying all affected individuals, regardless of their state or country of residence.

In response to the breach, EY Law LLP, operating through its legal representative, determined that written notification was the appropriate method to inform the affected individuals. The planning and execution of this notification process took a considerable amount of time, with the letters to consumers being sent out on August 3, 2023. This date, over two months after the breach was discovered, represents the point at which the affected individuals were formally made aware that their personal information had been compromised in the cyber attack.

As part of its response to mitigate the potential harm to the affected individuals, EY Law LLP offered to provide identity theft protection services. The firm enlisted TransUnion, a major consumer credit reporting agency, to provide these services. The offering included comprehensive credit monitoring and identity theft restoration services. The protection services were offered for a duration of twenty-four months, providing a two-year safety net for individuals to help detect any suspicious activity related to their credit profiles and to receive assistance in restoring their identities should they become victims of fraud as a result of this breach.

The submission of the breach notification to the Office of the Maine Attorney General was handled by Jarno Vanto, a partner at the law firm King & Spalding LLP. His contact information, including telephone number 2125162100 and email address [email protected], was provided as the point of contact for the filing. His relationship to EY Law LLP was listed as attorney, indicating that external legal counsel was engaged to manage the regulatory and compliance aspects of the incident response. This filing provided the official details of the breach to the state authorities as required by law.

The document submitted to the Maine Attorney General's office serves as the primary public record of the incident. It confirms that this was a standalone event for EY Law LLP within the recent past, as the response indicated there were no previous breach notifications submitted by the entity within the preceding twelve-month period. The provided information outlines the basic chronology from the date of occurrence to the date of consumer notification and details the specific types of personal information that were exposed, the number of people impacted, and the remedial actions taken.

The breach represents a clear example of a cybersecurity incident where external threat actors successfully penetrated a system to exfiltrate highly sensitive personal data. The impacted information, specifically the combination of names and Social Security Numbers, is considered a primary target for cybercriminals. The acquisition of this data class by unauthorized parties creates a long-term risk for the individuals involved, as this information can be used to open new lines of credit, file fraudulent tax returns, or commit other forms of identity-related crimes long after the initial breach has been contained.

The organizational response included the key components of breach discovery, investigation, regulatory filing, and consumer notification coupled with an offer of protective services. The offering of two years of credit monitoring and identity theft restoration is a standard remedial action in the industry for breaches involving Social Security Numbers. This service is designed to act as a mitigating control, providing affected persons with tools to monitor their credit reports for signs of misuse and with expert support to help recover their identities if fraud occurs.

The incident underscores the persistent threat that hacking poses to organizations holding sensitive personal data. While the specific technical details of the attack vector, such as the initial point of entry or the tools used by the attackers, were not disclosed in the public filing, the classification of the event as an external system breach confirms it originated from outside the organization's network. The four-day gap between occurrence and discovery highlights a common challenge in cybersecurity: the time it takes for organizations to detect a compromise after it has initially taken place.

The consequences of the breach for EY Law LLP involved engaging external legal counsel, coordinating with a credit monitoring service provider, and executing a consumer notification campaign across multiple jurisdictions. For the 1,653 affected individuals, the consequences involved receiving a notice informing them their data was compromised and enrolling in the offered protection services to safeguard their financial identities. The three Maine residents received the same notice and offer of services as all other affected persons. The breach filing remains a matter of public record with the State of Maine, documenting the event and the entity's response to it.