Legal Business

Allen & Overy dodges data leak bullet as firm tight-lipped on ransom outcome

Concept of destroyed cyber security.Padlock red open on electric circuits network dark red background.Cyber attack and Information leak concept.Vector illustration.

As the deadline for Allen & Overy (A&O) to pay a multimillion dollar ransom on its data passed by without incident on 28 November, the firm declined to comment on whether it had paid the cyber criminals off.

On 9 November A&O said it had suffered a ‘data incident’. Posts from X user and self-described ‘threat intelligence platform for cybersecurity’ @FalconFeedsio on Wednesday 8 November suggested that notorious cyber criminal group LockBit had targeted the firm, with a threat to release ‘all available data’ by 28 November.
At the time of going to press, the firm declined to confirm the reason for its removal from LockBit’s list of targets the day before the deadline.

‘We have experienced a data incident impacting a small number of storage servers’, said an A&O spokesperson when news of the data breach first broke. ‘Investigations to date have confirmed that data in our core systems, including our email and document management system, has not been affected.’

The attack came as A&O built out its cyber security offering with the hire of Norton Rose Fulbright partners Ffion Flockhart and Charlie Weston-Simons. A Legal 500 Leading Individual for data protection, privacy and cyber security, Flockhart was also global co-head of information governance, privacy, and cyber security at her former firm. The moves were announced less than a week after A&O confirmed the attack, and less than two weeks before the ransom deadline.

According to a report published in November by cyber threat analysis platform Analyst1, LockBit established new guidelines for how its affiliates should conduct ransom negotiations, in effect from 1 October. Under the new guidelines, LockBit actors are advised to extort companies with revenue of more than $1bn for 0.1% to 3% of their turnover. With revenue of $2.6bn in this year’s Global 100 report, A&O’s exposure could range from $2.6m to $78m.

The report also notes that LockBit actors may decrease their ransom demands if the damage of the attack is limited. It includes a screenshot of a July 2022 negotiation in which a LockBit actor dropped their ransom demand from $3m to $1m ‘given that your network was not completely infected’. The group’s new guidelines advise against discounts of more than 50% of the initial demand.

LockBit hit Royal Mail with a ransomware attack in January and leaked Royal Mail’s data on 23 February after Royal Mail refused to pay both an initial ransom demand of £66m and a subsequent demand of £47m.

Boeing confirmed a cyber attack in early November and was re-added to LockBit’s list of victims on 7 November after disappearing from the list on 30 October, according to FalconFeeds.

LockBit published Boeing’s data on 10 November. Boeing shared information with the US Cybersecurity and Infrastructure Agency (CISA) and the FBI, leading a clutch of organisations to issue a further joint advisory on 21 November. The joint advisory warned that LockBit exploited the so-called ‘Citrix Bleed’ vulnerability, which ‘allows threat actors to bypass password requirements and multifactor authentication’ on Citrix NetScaler web application delivery control and Gateway appliances. Citrix Bleed was disclosed and patched in October, but companies that have not updated their software remain vulnerable. A&O did not confirm whether the attack was related to Citrix Bleed.

More broadly, the SRA in June 2022 issued a risk outlook report titled ‘Information security and cyber crime in a new normal’. In the report, it noted that ‘increased dependence on IT’ since the Covid-19 pandemic ‘creates more opportunities for cybercriminals’. Tech lawyers echo these concerns, and litigators increasingly point to data breach disputes as a rising trend for the coming year.

A&O is not the first major firm to suffer from a data breach. DLA Piper was shut down by a cyber attack in 2017. And in June, ransomware group CL0P posted the names of Kirkland & Ellis, K&L Gates, and Proskauer Rose to its leak site, although none of the firms responded to requests for comment.

Bryan Cave Leighton Paisner (BCLP), meanwhile, discovered it had been hacked in late February, in a breach that exposed the personal data of more than 50,000 current and former employees of client Mondelēz International. In June, a class action suit was filed against BCLP in the Northern District of Illinois. The case is ongoing. BCLP did not respond to requests for comment.

‘These [data breaches] are causing a tremendous amount of harm,’ said Thomas Zimmerman, an attorney at Chicago-based Zimmerman Law Offices, which is bringing the class action against BCLP. ‘Clients I represent who have had data stolen have dealt with loans being opened up in their names, their credit score hijacked, mortgages opened up in their names for homes. And they’re stuck with it, you can’t change a social security number like you can open a new bank account, people suffer the consequences for years.’

There has never been a data breach group action litigated in an English court. The prospects for bringing such a claim are complicated by the fact that opt-out claims can currently only be brought in England at the Competition Appeal Tribunal (CAT). And many in the market are sceptical that a data breach claim could be adequately formulated as a competition claim.

Additional reporting by Bethany Burns

alexander.ryan@legalease.co.uk