|
7 July 2026 (New York, NY) - An attorney with Blank Rome LLP was tricked into uploading sensitive files to an external Google Drive account, allegedly exposing private information belonging to more than 57,000 individuals, according to a proposed class action accusing the law firm of inadequate cybersecurity safeguards and delayed breach notification.
Named plaintiff Laura Delapaz of California, a former client of Blank Rome who said her information was exposed in the breach, said in a Monday complaint that the firm "failed to adequately train its employees on cybersecurity and failed to maintain reasonable security safeguards."
The complaint alleges that the private information of 57,554 current, former and prospective clients of Blank Rome was exposed:
"Blank Rome acted with wanton and reckless disregard for the security and confidentiality of Plaintiff's and Class members' Private Information".
The breach occurred on May 21st when an unauthorized third party called an attorney with Blank Rome, posed as a member of the firm's information technology department and convinced the attorney to upload the files to the external account.
Note to readers: the attack was by the Silent Ransom Group which we have written about in numerous posts. They have targeted numerous major U.S. law firms. Cyber experts tell us while not Russian state-sponsored or Russian-backed, the group's leadership is based in Russia, and they most certainly operate with the knowledge of the Russian government.
The breach exposed information included:
- names
- full home addresses
- Social Security numbers
- contact information including emails and mobile phone numbers
- financial account information
- medical information
Blank Rome said it identified the incident within two hours, took the attorney's device offline and deleted the files in the Google Drive account. The firm said it launched an investigation and notified law enforcement, determining the extent of the breach around May 28th:
"Blank Rome experienced a limited incident in which a group that targets law firms called one of our attorneys, posed as our IT department, and misled the attorney into uploading files to an external file hosting website. We acted quickly to mitigate and contain the incident, notified law enforcement, began an investigation with the support of external cybersecurity professionals and communicated with affected clients".
The firm added that the incident was limited to just one attorney and that there was no access to the firm's network. Blank Rome's operations were not disrupted, it said.
Delapaz alleges in the complaint that affected parties were notified around June 26th, more than a month after the firm first discovered the data breach. The complaint alleges the firm "enriched itself" by using cheaper, ineffective security measures that would have prevented the attack.
Note to readers: as we have noted in numerous posts, due to tight budgets and a lack of tech awareness, many law firms rely on cheap, obsolete, or inadequate IT services, which leads to frequent, devastating data breaches. Once cleared by our lawyers and our cybersecurity partner, we will issue a special post to show how easy it is to hack a law firm.
Blank Rome responded with:
"We are committed to protecting our clients' information and maintaining the trust they place in us. We believe the lawsuit has no merit and will aggressively defend against it".
In the wake of the incident, Blank Rome said it arranged for affected parties to get complimentary access to credit monitoring and provided additional targeted social engineering training throughout the firm.
But Delapaz said in the complaint that the credit monitoring service does not adequately address the "lifelong harm that victims will face". She claims to have already experienced an influx of spam communications, and other unwanted communications, as have others in the proposed class action. The complaint notes:
"The exposure of one's Private Information to cybercriminals is a bell that cannot be unrung. Before this data breach, its current, former, and prospective clients' Private Information was exactly that — private. Not anymore. Now, their Private Information is forever exposed and unsecure."
The sentiment that standard law firm monitoring services fail to mitigate the lifelong harm victims face from cyber attacks is gaining traction. Legal analysts say the Blank Rome case could be an excellent test case.
Because legal practices hoard so much highly sensitive data, downstream a cyber breach/attack will create a cascade of risks, often severe and often hidden, and the standard credit monitoring provided is an inadequate defense against the permanent weaponization of exposed personal histories.
Standard breach responses typically provide one to two years of basic credit monitoring or dark web identity scanning. Analysts say such standard monitoring falls short for several reasons:
-
Permanent data exposure. Once sensitive data - such as medical records, business contracts, or Social Security numbers - is dumped online, it is permanently accessible. Credit monitoring expires, but the stolen data can be utilized by bad actors indefinitely.
-
Non-Financial Consequences. Standard services heavily focus on financial fraud, neglecting the emotional, psychological, and professional damage caused by identity theft, extortion, or the public release of intimate legal records.
-
Third-Party Risk. Because many law firms have smaller cybersecurity budgets than the corporate clients they serve, they are increasingly targeted by hackers specifically looking for a backdoor.
So legal experts and class-action attorneys are saying the time has come to demand broader settlements. Instead of just offering short-term credit alerts, plaintiffs are pushing for:
-
Lifetime identity restoration services. Moving away from basic scanning toward dedicated professionals who can actively assist victims whenever their compromised data surfaces.
-
Longer monitoring windows. Extending monitoring periods well beyond the standard one-year window to compensate for the lifelong risks associated with compromised Social Security and identity numbers.
-
Stricter firm compliance. Increasing regulatory pressure, such as rules enforced by the state bar to ensure firms have take proactive, protective cyber protection measures, rather than only reacting to breaches after the fact. And for those that have been breached, proof that they have upped their game and put true cybersecurity measures in action.
The case name is Laura Delapaz v. Blank Rome LLP, case number 2:26-cv-04655, in the U.S. District Court for the Eastern District of Pennsylvania.
|