On August 15, 2022, Clark Patterson Lee (“CPL”) reported a data breach with the Office of the Attorney General of Vermont after the company experienced what appears to be a ransomware attack. After confirming the breach and identifying all affected parties, Clark Patterson Lee began sending out data breach letters to anyone whose information was leaked. CPL has not yet publicly disclosed the type of data that was compromised in the cyberattack; however, based on state data breach reporting requirements, it is likely that the information includes sensitive data types, such as Social Security numbers or financial account information.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Clark Patterson Lee data breach, please see our recent piece on the topic here.
What We Know About the Clark Patterson Lee Data Breach
The information about the Clark Patterson Lee data breach comes from an official filing with the Office of the Attorney General of Vermont. According to the most current information, on June 10, 2022, CPL detected a potential network security incident when certain files on the company’s network appeared to have been encrypted. In response, CPL reached out to outside cybersecurity professionals to assist with the company’s investigation.
The CPL investigation revealed that an unauthorized person had access to certain files on the company’s servers between the dates of June 9, 2022 and June 10, 2022. Additionally, CPL confirmed that some of the accessible files contained sensitive information belonging to certain individuals.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Clark Patterson Lee began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. CPL completed its review of the files on July 28, 2022.
On August 15, 2022, Clark Patterson Lee sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Clark Patterson Lee
Clark Patterson Lee is a multi-disciplined architecture, engineering, design, and planning firm based in Latham, New York. Along those lines, the company provides a range of architecture-related services, including interior design, civil engineering, transportation architecture, buildings and structural engineering, landscape architecture, and municipal services and planning. Clark Patterson Lee employs more than 434 people and generates approximately $175 million in annual revenue.
Was the Clark Patterson Lee Breach Caused by a Ransomware Attack?
In the data breach letter CPL sent to victims of the recent data security incident, the company mentioned that it first detected a potential data security incident when it learned that files on its network had been encrypted. Encryption is a process that encodes files, making them inaccessible to anyone without the encryption key (which is usually a password). Individuals and companies encrypt files every day to protect sensitive data from unauthorized access. However, cybercriminals also use encryption when carrying out certain types of cyberattacks—usually ransomware attacks.
So, while CPL did not explicitly state the incident was due to a ransomware attack, it’s a good indication that was the case.
A ransomware attack occurs when a hacker installs malware that encrypts the files on a victim’s computer. When the victim of the attack logs back on to their computer, they see a message demanding they pay a ransom if they want to regain access to their computer. If the victim pays the ransom, the hackers decrypt the files. For the most part, hackers keep their word to decrypt files after a company pays a ransom because, if they didn’t, companies would have no incentive to pay a ransom.
However, hackers have recently started to add additional incentive by threatening to publish the stolen data on the dark web if a company does not pay the ransom. While the FBI advises companies not to pay ransoms following a ransomware attack, companies experiencing a ransomware attack are in a difficult position because many would prefer to quietly pay a ransom to avoid news of the breach becoming public.
However, companies can—and should—take preventative steps to avoid becoming the target of a ransomware attack in the first place. For example, training employees about the risks of phishing emails and developing state-of-the-art data security systems are two relatively easy things companies can do to prevent these attacks. Unfortunately, despite the widespread knowledge of the risks of ransomware attacks, many companies fail to devote adequate resources to the prevention of ransomware attacks.