The American Bar Association has been served with a class action lawsuit alleging that it failed to secure and safeguard its members personal data, following a breach of its network at the beginning of March.
The ABA informed affected members on 20 April that on March 17, 2023, it observed unusual activity on its network, triggering its incident response plan. An investigation determined that an unauthorized third party gained access to the ABA network beginning on or about March 6, 2023 and may have acquired “certain information.” On March 23, 2023, the investigation identified that an unauthorized third party acquired usernames and hashed and salted passwords used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018.
On 21 April, plaintiff Tiffany Troy from employment litigation firm Troy Law filed a class action on behalf of herself and others “similarly situated”, alleging that the ABA’s security failures had enabled hackers to steal personal and financial data, putting class members’ personal and financial information at serious and ongoing risk.
The claim, issued in The United States District Court, Eastern District of New York, alleges that the hackers continue to user the information they obtained as a result of the ABA’s “inadequate security” to exploit and injure class members across the United States. The claim further alleges that the breach was caused by and enabled by the ABA’s “knowing violation of its obligations to abide by best practices and industry standards in protecting customers personal information,” and that the ABA “grossly failed to comply with security standards and allowed its customers’ financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the breach.”
The action claims that the ABA failed to uncover or disclose the breach in a timely manner and take other reasonable steps to inform its customers of the nature and the extent of the breach, preventing class members from protecting themselves. Damages are sought in excess of $5m.
The ABA told Legal IT Insider that it does not comment pending litigation. However, in a statement on the data breach itself, ABA president Deborah Enix-Ross said: “The ABA takes seriously its responsibility to protect private data. We are gratified that a breach by a threat actor was discovered within 11 days of access.
“While the threat actor obtained some customer usernames and coded passwords, which were salted and hashed, an outside investigation determined no credit card numbers, addresses, phone numbers, social security numbers or other sensitive personally identifiable information were accessed. The accessed data was for the old ABA website used prior to 2018, not the current website. Some of the credentials are used for the ABA Career Center.”
Enix-Ross added: “We have seen no increased use of the login credentials and no evidence of the accessed data being used. Several steps have been taken to prevent future breaches and inform those affected. The ABA apologizes for the inconvenience this incident has caused.”
Here is ABA’s email of 20 April in full:
This letter is to inform you of a data security incident that impacted the username and salted and hashed password you may have used to access your American Bar Association (“ABA”) online account prior to 2018 on the old ABA website, or the ABA Career Center since 2018. The ABA takes the security of your information very seriously and sincerely apologizes for any concern this incident may cause. While the ABA has no indication that your personal information has been misused, this letter contains information about what occurred, actions that have been taken to prevent a reoccurrence, and steps you can take to protect your information.
On March 17, 2023, the ABA observed unusual activity on its network. The incident response plan was immediately activated response, and cybersecurity experts were retained to assist with the investigation. The investigation determined that an unauthorized third party gained access to the ABA network beginning on or about March 6, 2023 and may have acquired certain information. On March 23, 2023, the investigation identified that an unauthorized third party acquired usernames and hashed and salted passwords that you may have used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018.
What information was involved?
The personal information involved the username and hashed and salted password you may have used to log into the old ABA website before 2018 or the ABA Career Center since 2018. To be clear, the passwords were not exposed in plain text. They were instead both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext. In addition, in many instances, the password may have been the default password assigned to you by the ABA, if you never changed that password on the old ABA site. The ABA is notifying all affected individuals in an abundance of caution.
Although the ABA changed its website log-in platform in 2018 and asked each user to create new credentials, if you utilized the same credentials to access the new ABA website, www.americanbar.org, please update your password at your earliest convenience.
What we are doing.
The ABA takes the security of your information seriously and has taken measures to reduce the likelihood of a future cyber-attack, including removing the unauthorized third party from the ABA network and reviewing network security configurations to address continually evolving cyber threats.
What you can do.
Although the ABA has received no reports of misuse of your or anyone’s information, you are encouraged to change any passwords which may be the same as or similar to the password at issue in this incident and remain vigilant against any unauthorized attempts to access your online accounts. If you would like to continue to use the ABA Career Center, you should consider changing your password in an abundance of caution. Your state law may require the ABA to provide additional information about identity theft, which is provided for you here.
Anyone who is concerned that they have been affected is urged to call the ABA.