July 7, 2026

One might be tempted to say Blank Rome was hacked, but that would be a simplistic explanation for a complex failure. On May 21, a seemingly innocent phone call to a Blank Rome attorney, under the guise of IT support, led to a catastrophic error: the attorney uploaded confidential client files to an external Google Drive, orchestrated by impostors. This blunder resulted in the exposure of personal information, including Social Security numbers, of 57,554 clients.
In response, two class action lawsuits were filed in the Eastern District of Pennsylvania, spearheaded by Kopelowitz Ostrow, Milberg PLLC, Strauss Borrelli, and the Srourian Law Firm. These lawsuits, which mirror each other in their allegations, accuse Blank Rome of negligence, breach of fiduciary duty, breach of implied contract, and violations of several California privacy laws.
Blank Rome's defense hinges on the assertion that there was no actual breach of their network systems, and they maintain that their client information protection protocols remain robust. However, their own admissions and the nature of the incident—where sensitive data was willingly handed over to a fraudulent party—might undermine their defense.
The law firm has attempted to mitigate the damage by offering affected clients 12 to 24 months of credit monitoring. However, this gesture has not appeased the plaintiffs, who find the response inadequate given the severity and scope of the data exposed.
This incident is not an isolated case in the legal industry. The Silent Ransom Group, also known as Luna Moth among other names, has been targeting law firms with similar scams since 2023. The FBI had even issued warnings about these tactics, which previously influenced law firms like Jones Day and Lewis Brisbois to tighten their security measures and protocols.
Despite Blank Rome’s extensive expertise in Privacy, Security & Data Protection, the firm was ironically undone by a deceptive call that their own team should have been primed to suspect. The firm did act swiftly once the breach was recognized—disconnecting the compromised devices and alerting law enforcement within two hours. Nevertheless, the delay in notifying the affected clients until June 26 has also fueled the current backlash.
This situation serves as a stern reminder of the vulnerability of law firms to even basic social engineering attacks and highlights the ongoing challenges in protecting sensitive information in a sector ripe with valuable data. As these legal battles unfold, they will undoubtedly prompt a reevaluation of security practices across the legal industry.