US legal eagles representing Apple, IBM, and more take 5 months to inform clients of ransomware data breach

Law firm Campbell Conroy & O'Neil has warned of a breach from late February which may have exposed data from the company's lengthy client list of big-name corporations including Apple and IBM.

The breach, which was discovered on 27 February 2021 when a ransomware infection blocked access to selected files on the company's internal systems, has been blamed on an unnamed "unauthorised actor."

At the time of writing, none of the usual suspects had claimed responsibility. For REvil, one of the biggest and most successful ransomware groups, that's no surprise: its websites have been down for a week and counting after a wide-ranging attack on IT management firm Kaseya and its clients.

While it's not yet known precisely what data was accessed during the breach, the system affected held a treasure trove including "certain individuals' names, dates of birth, driver's license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e. usernames and passwords)," the company confirmed in a statement regarding the attack.

• Gung-ho tank gamer spills classified docs in effort to win online argument
• Report sheds light on 'cocky' but 'creative' Mespinoza ransomware group
• You'll never Guess whose data has been nicked as US fashion firm confirms systems breach
• Oi! Our British Airways data breach compo sueball is still going, shouts rival law firm

"Campbell is committed to, and takes very seriously, its responsibility to protect all data entrusted to us," the company continued. "As part of our ongoing commitment to the privacy of personal information in our care, we are reviewing our existing policies and procedures, and are working to implement additional safeguards to further secure our information systems."

The company has also offered those affected a 24-month subscription to credit monitoring, fraud consultation, and identity theft restoration services – but only if they had their Social Security numbers held on the system. For those whose data did not include Social Security numbers, they get nothing bar the company's apologies.

Founded in 1983, Campbell boasts a laundry list of big clients across a range of industries including Ford, Toyota, Honda, and others in automotive; British Airways, Boeing, Continental Airlines, Gulfstream, and others in aerospace; Monsanto, Corning, Dow Chemical, and others in the chemical industry; Apple, IBM, Toshiba Information Systems, and others in computing; Exxon Mobil and BP-owned Amoco in oil; and others too numerous to mention across consumer products, heavy equipment and industrial machinery, insurance, medical and pharmaceutical, retail, transportation, and more.

In short: the impact of the breach could be felt by a huge number of companies, not just Campbell itself. Depending on what data was exposed, it could spell a repeat of the attack on Grubman Shire Meiselas & Sacks last year, which exposed client data belonging to A-list celebrities.

Campbell confirmed it had enlisted unnamed "third-party forensic investigators" to investigate the attack, and that it had informed the FBI of the breach. It did not, however, indicate why it had taken five months to alert its clients.

Campbell had not responded to a request for additional comment by the time of publication. ®