Bricker & Eckler LLP

Bricker & Eckler LLP is a United States-based law firm that became the subject of a significant cybersecurity incident in January 2021. A ransomware attack against the firm enabled unauthorized access to a broad array of sensitive personal information, including names, addresses, medical and educational records, driver’s licenses, and Social Security numbers. The breach vector was traced through the firm’s contractor, INCompliance Consulting, which was engaged in work related to Michigan State University’s Title IX investigations. This connection resulted in the exposure of confidential case files, reports, and emails pertaining to approximately 350 individuals associated with those university investigations, with the personal data of six specific individuals being directly leaked. While the law firm successfully recovered the accessed data from its own systems, it publicly acknowledged the distinct possibility that the attackers had already copied the information before detection.

The incident underscored Bricker & Eckler’s role in handling highly confidential legal and educational records, particularly within the sensitive domain of Title IX compliance and investigations, albeit through a third-party contractual arrangement. Michigan State University confirmed that its internal IT infrastructure remained secure and that active Title IX cases were not disrupted, indicating the compromise was isolated to the data shared with or accessible through the external consultant. This supply chain vulnerability highlighted the extended risk exposure when legal firms manage delicate institutional matters via subcontractors. Bricker & Eckler’s response focused on data restoration and a transparent admission regarding the potential for data exfiltration, a critical detail in the subsequent assessment of harm for affected individuals. The event serves as a notable example of how ransomware groups target professional services firms to access the valuable, sensitive data of their clients, particularly within the education sector. The firm’s experience illustrates the profound reputational and legal ramifications that can follow a breach involving protected educational and personal information, even when the primary client’s own systems are not directly infiltrated.