Law firm paid ransom to hackers, lawsuit says
A Denver law firm reportedly paid $200,000 to cybercriminals who held its data for ransom.
Campbell Killin Brittan & Ray, which was founded in 1995, practices business law out of its offices in Cherry Creek and represents several major corporations in the city.
On July 17 of last year, the firm was struck by a ransomware attack, according to a lawsuit. Ransomware is malicious software that denies a person or company access to their data by encrypting it with a key known only to the hacker, until the victim pays a ransom.
The attack lasted three weeks and ended only when CKBR paid $200,000 it had received from its insurance company, the lawsuit claims. The attack reportedly cost the firm $60,000.
“In this day and age, organizations across all industries are being affected by cybercrime,” Kevin Ray, the managing partner at Campbell Killin Brittan & Ray, said in a statement to Businessden. “Given the current cybersecurity environment and in consideration of the potential threats and risks involved, CKBR had prepared for the possibility of a cyber incident.”
During the attack, CKBR talked with outside experts and lawyers “to help us recover in the most expedient time possible and minimize any interruption in services,” Ray said. “CKBR prioritized the best interests of our clients to form our response throughout every step.”
Details of the attack and ransom payment were made public seven months later, on Feb. 16, as part of an unrelated lawsuit involving the $700,000 sale of a local information technology franchise. Ray claims that some details in that lawsuit, including the amount of the ransom and the cost to his firm, are inaccurate, but declined to answer questions about the attack.
Last August, Shawn and Dan Mcarthur bought the Denver office of Teamlogic IT from Tim and Claudia Pillow. Teamlogic franchisees provide IT services for a range of companies.
At the time of the sale, one of Teamlogic Denver’s top clients was Campbell Killin Brittan & Ray. The Mcarthurs sued the Pillows and their company, Pillow Party LLC, for fraud because they allegedly did not disclose that CKBR rightly blamed Teamlogic for the cyberattack.
“When Pillow Party began servicing CKBR’S account, it did not change all the administrative account passwords. Since the CKBR server password was not changed, it was easily hacked, which led to the initial intrusion into the CKBR network,” the lawsuit alleged.
“In addition, Pillow Party failed to properly back up CKBR’S data, which, if available, could have avoided the need to pay the attacker the requested ransom,” it went on to say.
On Feb. 22, the Mcarthurs dropped their lawsuit. Their attorney, Steven Mcdonald of Berliner Mcdonald in Greenwood Village, did not answer requests for an explanation. Tim and Claudia Pillow also did not return phone calls seeking comment on the case.
Meanwhile, Ray said that other firms need to think about cybercrime if they haven’t already.
“The importance of coordinated incident response planning, including cyber insurance and a comprehensive backup plan coordinated by IT experts, cannot be overstated,” he said, “especially for law firms and other professional services organizations.”