Fragomen declares data breach affecting “limited number” of Google employees

New York law firm Fragomen Del Rey, Bernsen & Loewry has filed a data breach notification with the California attorney general’s office after an unauthorised party gained access to a single file containing the personal information of a “limited number” of ‘Googlers’ and ‘former Googlers’.

The breach is understood to have taken place between 1 July and 16 July. The firm says in a sample letter to those affected, filed with the AG today (26 October): “We recently became aware of suspicious activity within our computer network. While our investigation is ongoing, we discovered that an unauthorized third party gained access to a single file containing personal information relating to I-9 employment verification services. This file contained personal information for a discrete number of Googlers (and former Googlers), including you.”

It adds: “We promptly commenced an investigation upon learning of this activity and engaged a digital forensic investigation firm to assist with this investigation. While we have no evidence at this point in time that your information has been viewed, we wanted to notify you of this incident and assure you that we take it very seriously. We have taken steps in response to this incident, including implementing enhancements to our IT Security infrastructure and detection capabilities.”

It is not known what information has been accessed or how many people are affected, but the documents that are suitable for I-9 employee verification include passports, resident cards, and driving licenses.

A Fragomen spokesman told Legal IT Insider: “Fragomen can confirm an unauthorized third party accessed a data file containing personal information from a group of current and former Google employees. All of the employees involved have been notified and we are offering complimentary identity theft protection and credit monitoring services where possible. While we have no evidence of any further misuse, we have taken steps to remediate the incident and have verified it was an isolated incident that did not involve our general client data systems. This isolated incident is in no way indicative of the robust cyber security guidelines and practices Fragomen has long had in place.”

Google has yet to return our request for comment.