Given the critical role counsel, both in-house and external, play in organizations’ response to data breaches, it will be interesting to watch how the American Bar Association (ABA) responds to the news that their database has been breached, affecting 1.5 million members.
In April 2024, the ABA began notifying its members that they had detected a hacker on their network a month earlier, on March 17th, 2023—and that the hacker may have gained access to members’ login credentials from a legacy database that had gone offline in 2018. Initial reports indicate that approximately 1.5 million members’ information was compromised in the attack. With prominent AmLaw 200 firms continuing to make headlines for data breaches, concerns about data security throughout the legal industry seem quite valid at this point in time.
The breach affected information stored in relation to the ABA’s pre-2018 website and career center. Compromised account information included usernames and passwords. The passwords were not encrypted, but instead “hashed and salted”. Users who have not transitioned their accounts to the new website login system or updated their passwords since 2018 should do so. (Although one wonders what might motivate a person to update their password after five years of not doing so.) According to the ABA, other information in member profiles (including names, addresses, contacts, bar admissions, educational and demographic data, and credit card numbers) was not compromised.ABA members and ex-members who had login credentials to the pre-2018 ABA website have been affected by this breach. Members include lawyers, paralegals, and other legal professionals. Given that there are on the order of 1.3 – 1.5 million active attorneys in the US, the breach certainly affects a substantial proportion of lawyers currently practicing in the US today.
The day after notifications went out from the ABA, a New York based law firm, Troy Law PLLC, filed a class action lawsuit against the ABA, alleging that the organization “did not come close to meeting the standards of commercially reasonable steps that should be taken to protect customers’ personal identifying information.” The complaint alleges that the breach included financial information that the hackers “continue to use,” which appears to contradict the ABA’s statements that “the bad actor obtained only user names and encoded (salted and hashed) passwords—not other personal information and no financial data” and it was unaware of anyone’s information being misused by the hackers.
Incidents like this one affecting ABA legacy website users are a lesson in good password hygiene. The legacy website’s login credentials were not encrypted, and were instead obstructed through a process called “hashing and salting.” Passwords are hashed when they are put through a hashing algorithm, which transforms plain text into an unintelligible series of numbers and letters. Salting in the process of adding additional random letters and numbers to a password before hashing. While more secure than plain text storage, hashing and salting is not infallible and the passwords could be dehashed over time. If the user uses the same username and password for their current ABA account, then the legacy passwords could be used by a threat actor to log into the ABA member’s current account. Users should change their passwords if they have not recently for their ABA accounts. Users should also review other online account credentials to ensure that the at-risk password is not being used for any other websites. Using unique, strong passwords for each online account is an important step in minimizing impact of data incidents.
Data Breaches
Sadly, data breaches affecting the legal industry are nothing new. Ransomware, malware, and breach incidents have been going on for years. Make sure you understand the threat landscape with this visual guide from Exterro.
Download the PDF version of this Data Privacy Alert here.