In July 2024, Michael T. Gibson P.A., a car accident law firm, reported a significant data breach affecting personal information of its clients. The breach occurred when an unauthorized third party compromised the systems of one of the firm’s external IT vendors. This unauthorized access allowed the attackers to infiltrate Michael T. Gibson P.A.’s computer systems, along with several other businesses using the same vendor. The breach was first detected on July 22, 2024, when files containing potentially sensitive personal information were extracted. On the following day, July 23, ransomware was deployed, encrypting most of the law firm’s computer network.
The firm conducted an internal investigation to determine the extent of the breach. It was revealed that the attackers may have accessed personal information, including full names, dates of birth, email addresses, telephone numbers, and home addresses. However, the law firm admitted that, due to the large volume of data compromised, they were unable to precisely identify the extent of the information that may have been extracted. The firm refrained from disclosing which specific types of personal data were compromised and, as of the time of reporting, no cybercriminal groups had taken responsibility for the breach.
Despite the serious nature of the breach, Michael T. Gibson P.A. did not initially offer victims identity theft protection or credit monitoring services, which are commonly provided in cases where sensitive information such as Social Security numbers are compromised. This omission raised concerns among the affected individuals, who were left uncertain about the protection of their personal information. The firm’s response did not align with the standard practices typically observed in similar breaches, which further amplified worries about potential identity theft or fraud.
By August 26, 2024, the firm confirmed that 17,410 individuals had been affected by the breach. While the law firm provided some updates, affected clients continued to express concern over the lack of transparency and absence of protective measures such as credit monitoring. The breach’s impact, coupled with the uncertainty about the attackers’ motives and possible further use of the compromised data, left individuals vulnerable and seeking more comprehensive responses from Michael T. Gibson P.A. The investigation remains ongoing as the firm works to address the broader implications of the incident.
Reference:
