Sign in / up

back to article Lawyers cough up $200k after health data stolen in Microsoft Exchange pillaging

New York law firm Heidell, Pittoni, Murphy and Bach (HPMB) has agreed to pay $200,000 to settle a data-breach lawsuit related to the now-notorious Hafnium Microsoft Exchange attacks that siphoned sensitive data from victims around the world.  In 2021, months after Redmond had fixed the security flaws in servers running its …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. elDog

    Excellent. Start fining companies that don't protect their clients' data.

    In this case, the fines should be many times higher and the fees extracted should be able to offset the costs of the victims' time and expenditures.

    There should also be a public registry of which firms/individuals have offended. This would probably be a bigger deterrent to future lapses in good judgement. A few $100,000 for big companies is just a bump in the "cost of doing business".

    6 1 Reply
    1. Dimmer Silver badge
      Reply Icon

      Re: Excellent. Start fining companies that don't protect their clients' data.

      Not fines, restitution. The authorities have already been paid to do the job. It is called taxes.

      Assess the restitution to be paid to those effected. It will have the same effect on the business, but at least the victims we get something.

      2 1 Reply
      1. Arthur Daily
        Reply Icon

        Re: Excellent. Start fining companies that don't protect their clients' data.

        Wrong. 300K is chicken feed for a law firm, They decided to willfully take shortcuts to save money. For HIPPA data , known critical patches not delivered in a month need to be classed as negligence, no ifs or butts. There needs to be a register of shame, naming the actual people with actual responsibility for this intrusion, up there for all to see, as well as all elected directors. Lately there is a trend to appoint security fall guys to wear all blame, but have no say in the budget, nor an automatic emergency reserve. Most go for 2 year contracts, as first year might be a tight budget, and the 2nd year coasting on 'acceptable risk'. The pentests should also be placed online after any breach, so everyone knows slackness was the cause.

        2 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Excellent. Start fining companies that don't protect their clients' data.

          Its a law firm. The responsible names are on the front door, and every peice of letterhead and correspondence.

          2 0 Reply
  2. Andy the ex-Brit

    I'm curious, what would have been acceptable as "proof that the data had been deleted?" It seems an epistemological impossibility to me.

    1 0 Reply
  3. A random security guy

    200K for a law firm is peanuts

    Having worked with law firms, a fine of $200K is not a fine.

    0 0 Reply
    1. Tom 7
      Reply Icon

      Re: 200K for a law firm is peanuts

      Sounds like 'the wine bill' on a pre-xmas lunch stress-test.

      0 0 Reply
  4. MMR

    114979 clients, $200k fine

    $1.74 per client. This is how much your personal data is worth in front of the US law. I bet it's more expensive if someone wanted to buy it from the dark corners of the internet.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like