This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Nicholsons Solicitors

Summary

On 24 November 2024, the INC Ransom gang claimed responsibility for hacking Nicholsons Solicitors, a now-closed Brisbane law firm, exposing at least 250 gigabytes of client data including correspondence, court documents, bank account details, and property deeds. The breach occurred after the firm closed without naming a successor practice, leaving legacy data unprotected on servers with no clear custodian. The Queensland Law Society confirmed no successor practice was appointed, highlighting significant cybersecurity risks when businesses shut down without proper data management arrangements.

What Happened

Nicholsons Solicitors, a Brisbane-based law firm, appears to have recently ceased operations with its website redirecting elsewhere, phone disconnected, and Google listing it as "permanently closed." Despite the firm's closure, data remained accessible on legacy servers without adequate protection or clear custodianship.

The INC Ransom ransomware gang exploited this vulnerability, gaining access to the unprotected data and listing Nicholsons Solicitors on their dark web leak site on 24 November 2024. The attackers published sample documents demonstrating access to sensitive client information spanning the firm's legal practice.

Compromised data included client correspondence, court documents, debtors reports, client bank account details, credit notes, and property deeds. File directory screenshots suggested at least 250 gigabytes of data were exposed.

Impact on Individuals

The breach affected former clients of Nicholsons Solicitors who entrusted the firm with sensitive legal matters, financial information, and confidential communications. With no successor practice named, affected clients had no clear point of contact for breach notification or protective measures.

Organisational Response

With the firm closed and no successor practice appointed, there was no organizational entity to respond to the breach, notify affected clients, or remediate the security failure. This created a dangerous gap where client data remained vulnerable with no party responsible for its protection.

Verification Source: View original statement