ABA notifies members of stolen data
The ABA reported on Thursday that some of its members’ account information was stolen during a data security breach in March. “To be clear, the passwords were not exposed in plain text,” according to the ABA, which also notified members of the breach via email.
According to a notice posted on the ABA’s website, the association “observed unusual activity on its network” on March 17. An investigation later determined an unauthorized third party had accessed the network on March 6 and acquired usernames and “hashed and salted” passwords that lawyers and others used to access their online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018.
The ABA explained that passwords were “both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext.”
“In addition, in many instances, the password may have been the default password assigned to the user by the ABA, if the user never changed that password on the old ABA site,” the association said.
The ABA also said it was notifying affected individuals out of “an abundance of caution,” but encouraged members who have used the same credentials since 2018 or plan to continue using the career center to consider updating them.
“Although the ABA has received no reports of misuse of anyone’s information, we encourage concerned individuals to change any passwords which may be same as or similar to the password at issue in this incident and remain vigilant against any unauthorized attempts to access online accounts,” the association said.
Carol Stevens, the director of ABA Media Relations & Strategic Communications, confirmed Friday that 1.5 million members’ accounts were affected in the data security breach.
Bloomberg Law, Reuters and Law360 have additional coverage of the breach.