back to article US legal eagles representing Apple, IBM, and more take 5 months to inform clients of ransomware data breach

Law firm Campbell Conroy & O'Neil has warned of a breach from late February which may have exposed data from the company's lengthy client list of big-name corporations including Apple and IBM. The breach, which was discovered on 27 February 2021 when a ransomware infection blocked access to selected files on the company's …

  1. Pascal Monett Silver badge
    Flame

    "Campbell is committed to, and takes very seriously, its responsibility . ."

    Yes. Of course. The usual bullshit.

    You're committed to, of course. You take very seriously, obviously.

    And you took five fucking months to reveal the problem.

    That is a brilliant demonstration of your actual commitment.

    Five months, during which your responsability to protect data left your customers exposed.

    Burning at the stake is too good for you.

    1. Potemkine! Silver badge

      Let me guess

      It was a sophisticated attack, wasn't it?

      1. Frank Bitterlich

        Re: Let me guess

        Yes. By an unauthorised actor. And probably affecting a limited number of their clients. So, no way to prevent it. Move on, nothing to see here.

        1. John Brown (no body) Silver badge
          Joke

          Re: Let me guess

          an unnamed "unauthorised actor."

          The things some people get up to just because the theatres and TV production has been shuttered for so long. I never did trust actors. A shifty bunch the lot of 'em!!

    2. HildyJ Silver badge
      Mushroom

      Re: "Campbell is committed to, and takes very seriously, its responsibility . ."

      Failure to reveal a breach should be a felony.

      Failure to individually notify each affected customer should also be a felony.

      Also, affected individuals should be given the cost of credit monitoring so they can choose their own credit monitoring system or company.

      1. John Brown (no body) Silver badge

        Re: "Campbell is committed to, and takes very seriously, its responsibility . ."

        Under EU and UK legislation, it is. Well, maybe not a felony as such, but it can incur some massive fines if they can't come up with a very, very good reason for not disclosing it.

        "What happens if we fail to notify the ICO of all notifiable breaches?

        Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover. The fine can be combined with the ICO’s other corrective powers under Article 58."

  2. Eclectic Man Silver badge

    Reviewing our existing policies

    "As part of our ongoing commitment to the privacy of personal information in our care, we are reviewing our existing policies and procedures, and are working to implement additional safeguards to further secure our information systems." =

    "Oh Shit! we were supposed to keep this stuff secret and now someone has got hold of it, and this has been made public. Quick!, we need a press release to calm things down."

    Maybe consider encrypted file store? Two-factor authentication? Firewalls?

    I have no idea what their existing security policies are, but they certainly need reviewing by someone competent. My experience of 'high powered' types is that they are not that interested in IT security when it causes senior managers to have to do menial things like using a strong password to log on (which is not written down on a table attached to the computer), encrypting laptop hard drives, or even keeping said laptop out of public view when going for a drink or meal, or maybe not clicking on every link or attachment in every email they receive.

    Or is 'reviewing our existing policies' actually a euphemism for 'looking for a scapegoat'*?

    Not that I'm cynical or anything.

    *Not one of the senior partners, probably an IT bod like 'head of IT security' or 'Chief Technical Officer' rather than the partner who didn't want to pay for IT security because (s)he got bored with the presentation.

    1. nematoad Silver badge
      FAIL

      Re: Reviewing our existing policies

      "The company has also offered those affected a 24-month subscription to credit monitoring, fraud consultation, and identity theft restoration services –"

      Well that's very commendable but would it not have been cheaper to have actually thought about and implemented some sort of security on all your customers data?

      As for keeping it quiet for five months surely some lawyer will see a pay day in that.

      1. Eclectic Man Silver badge

        Re: Reviewing our existing policies

        nematoad: "would it not have been cheaper to have actually thought about and implemented some sort of security on all your customers data?"

        Depends, the company may well provide some those services (e.g. fraud consultation), and may be able to claim the costs back against their insurance policy or do some (perfectly legal) 'creative accountancy' to cover the costs.

        The UK CIFAS (https://www.cifas.org.uk) seems quite cheap for an individual (about £25 for two years registration).

    2. Anonymous Coward
      Anonymous Coward

      Re: Reviewing our existing policies

      I have no idea what their existing security policies are, but they certainly need reviewing by someone competent.

      In my experience, neither such a review, nor revising the policies to improve them, makes a damn bit of difference.

      Our policies were completely overhauled some years ago, and IT still are nowhere near implementing them. We don't even have a usable backup mechanism for employee-controlled machines, or drive encryption for most laptops. Only a few systems use MFA. And so on.

    3. EnviableOne Silver badge

      Re: Reviewing our existing policies

      They probably already have one:

      CISO = Certified Incident Scapegoat Option

  3. Anonymous Coward
    Anonymous Coward

    No tech here, we're lawyers

    The legal industry are dinosaurs when it comes to tech. Trade shows are big on photocopiers, and dicta-phones still used by some partners. I'll bet they still use faxes. One partner used her inbox as a filing system and had 16,000 emails there, which caused some problems on the back-end Exchange servers. Paralegals, unpaid interns, and young slaves are all much cheaper (and more tractable) than trying to automate what is essentially a boilerplate factory. Even first-movers such as Linklaters from the magic circle in the UK are still relatively tame when it comes to innovation. Frankly, Apple - and they all seem to love those devices - would seem to have the only chance of hauling them into the twentieth century, let alone the twenty-first.

    1. Anonymous Coward
      Anonymous Coward

      Re: No tech here, we're lawyers

      \perfect example of:

      99% of lawyers give the rest a bad rep.

      1. Lil Endian

        Re: No tech here, we're lawyers

        LMAO

    2. Michael Wojcik Silver badge

      Re: No tech here, we're lawyers

      I've never found any other industry to be much better. A great many IT companies have appalling security.

  4. Aladdin Sane
    Mushroom

    Building a guillotine costs around $1,200, lumber and hardware tools included. Draw your own conclusions.

    1. David 132 Silver badge
      Happy

      Have you seen the price of dimensional lumber lately??? Your quoted $1200 might be a woeful underestimate. Last week I bought some 2x4s and 3 sheets of 19/32" OSB, and was impressed/alarmed that they were "worth" more than the truck I put them in.

      1. Aladdin Sane

        Well, the original article is 2012, so inflation will have had an impact.

  5. Lil Endian

    Exodus Large Client List

    I agree with all the comments above.

    Beyond any legal recourse, I hope their clients take their business elsewhere causing this mob to fold.

    Tip for clients: audit your intended legal firm's IT security with an independent outfit first, eh? It's got to be big money, so what's a little extra? (Or don't you care either?)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021