American Bar Association Announced Data Breach, More Than 1 Million Accounts ImpactedApril 27, 2023

The American Bar Association (ABA) announced on April 21 that it experienced a data breach in March 2023, resulting in the exposure of over 1.5 million member accounts. According to the ABA, an unauthorized user accessed its systems between February 28 and March 2, 2023, gaining access to member account information, including names, contact information, and in some cases, dates of birth and login credentials.

The ABA, which is the largest organization of lawyers in the United States with over 400,000 members, stated that no financial information or Social Security numbers were exposed in the breach. Additionally, the bad actors only gained access to hashed and salted passwords. Hashing a password involves converting a plain text password into a shorter, fixed-length value (usually a series of letters and/or numbers). Salting involves adding a string of additional characters before a password is hashed in order to strengthen the password. Thus, the exposure of salted and hashed passwords means that the passwords were not exposed in plain text. However, it is important to note that the stolen information is still valuable for bad actors, as even minimal account information can be easily used for identity theft, phishing scams, and more broadly as a gateway into individual users’ network infrastructure.

The breach was discovered by the ABA’s internal security team, and the organization is currently working with external cybersecurity experts to investigate the incident and mitigate any potential damage. The ABA has also notified law enforcement and is offering free credit monitoring and identity theft protection to affected members.

The ABA has acknowledged that the breach is a serious issue and has stated that it is taking steps to improve its cybersecurity measures, including conducting regular security assessments and implementing additional security controls.

This breach is a reminder of the importance of cybersecurity for all organizations, regardless of size or industry—but particularly in the legal industry. It is important for law firms to have robust cybersecurity programs in place to protect their clients’ sensitive information and maintain their professional reputation. With the increasing frequency and sophistication of cyber attacks, law firms must be proactive in implementing security measures to prevent data breaches and ensure compliance with data protection regulations. Failure to do so can result in financial losses, legal liability, and damage to the firm’s reputation. Additionally, clients are becoming increasingly concerned about data security and are more likely to choose firms that prioritize cybersecurity.

Sarah M.D. Luth is an Intellectual Property Attorney in the MVS Biotechnology & Chemical Practice Group. To learn more, visit our MVS website.