Microsoft Exchange Server vulnerability makes lawyers pay $200k as a settlement


In 2021, the LockBit Ransomware group breached the servers of New York-based law firm HPMB and stole sensitive information from one of its healthcare-related clients. The stolen data included names, DOBs, social security numbers, driving license details, biometric information of 114,979 individuals, and court-related documents in PDF form.

A security analysis done in April 2022 revealed that the cybercriminals from China-funded Hafnium Group gained access to HPMB’s servers through a vulnerability in Microsoft Exchange Server.

As the vulnerability was fixed by Microsoft in 2021, the Windows OS-producing company was not at fault for the breach. In response to a class action lawsuit, HPMB agreed to pay $200,000 to settle the data breach suit filed by its customer.

The healthcare provider also agreed to enhance its cybersecurity measures and appoint a third-party forensic expert to report on its current cybersecurity posture and those that will be adopted in the future.

Additionally, the company paid $100,000 to the LockBit ransomware gang that stole and encrypted the database in 2021. Therefore, the company paid a total of $350,000, including $50,000 as miscellaneous expenses($200,000 settlement costs and $100,000 paid to Lockbit), to continue its business operations.

Letitia James, the Attorney General at New York Court, gave the law firm seven days to review its decision and submit a report on how it will protect its user data in the future.


Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

No posts to display