Accellion, a top legal data vendor, was hit by a data breach. Here are firms that could be at risk in the legal industry's latest data security risk.
Leading law firm data vendor Accellion fell victim to a data breach now tied to hacks at least two big customers, the latest in a string of data-security failures that has affected the legal industry in recent years.
Accellion said this month that its aging File Transfer Appliance (FTA) product was compromised. For years, Accellion, which provides file transfer services, has been a top choice among Big Law to share sensitive files that are too big to be emailed, and is used by 35% of the largest law firms.
Accellion FTA is meant to help large companies like law firms securely transfer large and sensitive files through a private cloud system. The 20-year-old platform is being phased out, Accellion said this month, and will not allow renewals after April 30.
The Wall Street Journal on Tuesday reported that Jones Day, which has represented major corporate clients like Alphabet and Goldman Sachs, along with Donald Trump
's presidential campaign, was among the firms impacted. The anonymous hacker who posted documents purported to be from Jones Day on the dark web told the Journal that it had accessed Jones Day servers and didn't obtain the information through Accellion, something Jones Day disputed.
"Jones Day's network has not been breached," the firm said in a statement, adding that the incident was still under investigation. "Jones Day has been informed that Accellion's FTA file transfer platform, which is a platform that Jones Day — like many law firms, companies and organization — used was recently compromised and information taken."
Goodwin Procter, another large firm that has used Accellion, experienced a data breach on Jan. 20, Bloomberg Law first reported. When reached by Insider on Wednesday, the firm declined to comment.
In addition to using Accellion, Goodwin Procter also represented an investor in the company in a $120 million financing round last year.
Many law firms have been mentioned in the Accellion's marketing material over the years, but several — including Cozen O'Connor, Seyfarth Shaw, Arent Fox, and Barnes & Thornburg — weren't impacted by the breach, according to statements by the firms or people familiar with the matter.
Rob Dougherty, an Accellion spokesman, told Insider that "the vast majority" of its law-firm clients no longer use FTA and have upgraded to its newer Kiteworks product, but didn't respond to a request for specific numbers.
Kiteworks was launched in 2014. FTA, meanwhile, is nearing the end of its product life, Accellion said in its Feb. 1 statement disclosing what it called a "sophisticated cyberattack."
Accellion has also touted Fragomen Del Rey Bernsen & Lowey; Cahill Gordon & Reindell; Willkie Farr & Gallagher; Squire Patton Boggs; Ropes & Gray; Dentons; Latham & Watkins; Foley & Lardner; and Cadwalader Wickersham & Taft as clients.
Representatives for Cahill, Squire, Ropes, Latham and Cadwalader said they weren't impacted by the breach. A Dentons representative said the firm does not use the DTA system. People at the other firms didn't respond to comment requests.
Law firms and the companies that manage their data have been targeted in privacy attacks in recent years: DLA Piper was hit in a major cybersecurity attack in 2017, in which hackers demanded a mere $300 in bitcoin for the firm to regain access to its computer systems. A 2019 Law.com report estimated that more than 100 Big Law firms have reported data breaches.
Frank Gillman, a law firm information technology consultant with Vertex Advisors, told Insider that he couldn't speak about Accellion specifically, but said software vendors are generally not looking to break the bank when they ask a firm to upgrade.
"Typically, software companies looking to get clients from an older iteration to a newer product line keep the overall price increase to a 10% to 15% range increase, with large incentives for longer subscription periods," he said in an email. "Otherwise, it's difficult to meet budgetary restrictions of the customer."
The responses from law firms and their third-party data storage partners to data breaches have varied. In some cases, hackers have threatened to erase or release files unless they are paid. In a late 2020 breach notification, Cadwalader reportedly told a regulator that one of its vendors was impacted by a ransomware attack and paid to have its systems unencrypted.
The Wall Street Journal reported that the hacker who claimed to have breached Jones Day said the firm hadn't responded to its outreach.