When Your Law Firm Becomes Your Liability: The Goldman Sachs-Fried Frank Breach and the Hidden Danger of Professional Services Supply Chains

Breached Company

28 Dec 2025 — 15 min read

How a cybersecurity incident at one of Wall Street's most prestigious law firms exposed the uncomfortable truth about third-party risk in the professional services sector

Executive Summary

On December 19, 2024, Goldman Sachs Group Inc. sent a letter that no financial institution wants to write: informing investors in its alternative investment funds that their sensitive personal and financial data may have been compromised—not because Goldman's systems were breached, but because their outside counsel was hacked. The victim: Fried, Frank, Harris, Shriver & Jacobson LLP, one of the most prestigious international law firms serving Wall Street's elite.

Within days, a class action lawsuit was filed in the U.S. District Court for the Southern District of New York, alleging that Fried Frank "failed to adequately safeguard the sensitive personal information" of account investments associated with Goldman Sachs private equity funds. The complaint specifically notes that the law firm hasn't notified account holders directly or offered credit monitoring services, leaving victims potentially exposed to "multiple years of ongoing identity theft."

Key Impact Metrics:

Victims: Investors in Goldman Sachs alternative investment funds (exact number undisclosed)
Data Exposed: Sensitive personal and financial information of high-net-worth individuals
Attack Vector: Cybersecurity incident at third-party law firm
Downstream Impact: Multiple Goldman Sachs private equity funds affected
Legal Response: Class action lawsuit filed December 2024
Industry Context: Part of a record-breaking year for law firm data breaches

This incident isn't just another data breach—it's a stark illustration of how professional services firms have become the weakest link in the modern security supply chain, and why your law firm, accounting firm, or consultant could be your organization's greatest liability.

📊 COMPLIANCE RESOURCE: Organizations affected by this breach must navigate complex state notification requirements. Use our free State Breach Notification Requirements Tracker to understand your obligations across all 50 states.

The Anatomy of a Professional Services Supply Chain Attack

What Happened at Fried Frank

According to the limited information disclosed by the parties involved, Fried Frank "recently experienced a data security incident" affecting data held on behalf of Goldman's alternative investment funds. The firm's response statement was carefully worded: "We promptly acted to contain the incident and engaged industry-leading, external data security experts to assist in our response and in verifying the security of our systems and reported the matter to law enforcement."

What makes this breach particularly concerning is the nature of the data relationship. As outside counsel to many of Goldman's alternatives funds, Fried Frank held extraordinarily sensitive information:

Personal identifying information of high-net-worth investors
Financial account details and investment positions
Proprietary fund structures and strategies
Regulatory filings and compliance documentation
Potentially privileged attorney-client communications

Goldman Sachs emphasized in its December 19 letter that it was "working closely with Fried Frank to better understand whether our data or our clients' data may have been exposed." The analysis was described as "ongoing," suggesting the full scope of the breach remains unclear even weeks after discovery.

Critically, Goldman's spokesperson stated: "Goldman Sachs' systems were not impacted by this incident and remain secure." This is the new reality of third-party risk: Your fortress can be impregnable, but if your vendor's door is unlocked, you're still exposed.

The Class Action Response

The swift filing of a class action lawsuit reveals how seriously the legal and financial communities are taking this breach. The complaint alleges several critical failures:

Inadequate Safeguards: Failure to implement reasonable security measures for sensitive client data
Lack of Transparency: No direct notification to affected account holders
Insufficient Remediation: No offer of credit monitoring or identity theft protection services
Ongoing Risk: Victims face "multiple years of ongoing identity theft" exposure

One plaintiff stated in the complaint that had he known Fried Frank's systems weren't secure, he wouldn't have trusted Goldman with his personal information—highlighting how third-party security has become a direct factor in consumer trust and investment decisions.

2024: The Year Law Firms Became Cybersecurity's Biggest Target

The Fried Frank incident doesn't exist in isolation. 2024 has been a devastating year for law firm cybersecurity, with breaches hitting record highs across the legal industry.

The Numbers Tell a Grim Story

According to multiple industry analyses:

21 law firms reported data breaches in just the first half of 2024, compared to 28 in all of 2023—putting the year on pace to be the biggest in law firm breach history
40% of law firms experienced a security breach in 2024, up from previous years
56% of law firms that experienced breaches lost sensitive client information
$5.08 million: Average cost of a data breach for professional services firms (including law, accounting, consulting)—higher than the global average of $4.88 million
30% increase in ransomware attacks on law firms in Q1 2024 alone
$500,000+: Average ransom demand for law firm attacks

High-Profile Legal Industry Victims in 2024

Taft Stettinius & Hollister (Am Law 100 #83)

Ransomware attack discovered October 2023
Nearly 6,000 individuals' data accessed
Names, addresses, and Social Security numbers compromised
Attack targeted "secondary servers and workstations"

Gunster Yoakley & Stewart

$8.5 million settlement paid (November 2024)
Stemmed from 2022 data breach
Exposed personal and health information of nearly 10,000 individuals
One of the largest law firm breach settlements to date

HWL Ebsworth (Australia)

ALPHV/BlackCat ransomware attack (April 2023)
One of Australia's largest law firms compromised
Demonstrates global nature of law firm targeting

Houser LLP

Files encrypted and exfiltrated (May 2023)
325,000+ individuals affected
SSNs, driver's licenses, medical information, and financial data stolen
Ransomware with data theft component

Why Law Firms Are Prime Targets

Law firms represent a perfect storm of cybersecurity vulnerabilities (see our comprehensive guide on Safeguarding Legal Practice: Understanding Breaches and Strengthening Cybersecurity in the Legal Industry):

1. Data Aggregation Law firms centralize confidential information from multiple high-value clients: merger details, litigation strategies, intellectual property, regulatory filings, and personal client data. A single breach can expose dozens or hundreds of organizations simultaneously.

2. Access Privileges As trusted advisors, law firms often have privileged access to client systems, networks, and confidential databases—making them ideal pivot points for attackers seeking to compromise multiple targets.

3. Historic Security Underinvestment The legal industry's traditional resistance to technology adoption has left many firms with outdated infrastructure and insufficient security measures. According to ABA data, while 80% of law firms had technology insurance in 2023, only 34% had an incident response plan.

4. Billable Hour Economics Law firm economics discourage investment in non-billable activities like cybersecurity. Time spent on security doesn't generate revenue, creating perverse incentives against robust security programs.

5. Diverse Technology Ecosystems Law firms using 7+ communication and collaboration tools experience 3.55 times more breaches than those with consolidated systems—and professional services firms demonstrate the highest tool proliferation in any sector (80% using four or more tools).

6. Active Targeting by Specialized Threat Groups Groups like Silent Ransom Group (SRG) have consistently targeted US-based law firms since Spring 2023, specifically because of the "highly sensitive nature of legal industry data."

The Professional Services Supply Chain Crisis

The Fried Frank breach exemplifies a broader crisis: professional services firms—law firms, accounting firms, consultants, and specialized advisors—have become the most dangerous weak links in organizational security supply chains.

The Supply Chain Attack Explosion of 2024

The data is overwhelming:

47% of organizations suffered from vendor and supply-chain attacks in 2024
62% of ransomware victims were impacted by attacks originating from software supply chain partners
179% year-over-year increase in weekly supply chain cyber attacks
99% of Global 2000 companies are directly connected to a vendor that has experienced a breach
68% increase in software supply chain attacks targeting file transfer systems

Why Professional Services Represent Unique Risk

Unlike typical IT or software vendors, professional services firms create asymmetric risk relationships:

Information Asymmetry: Clients share vast amounts of sensitive data with law firms, accountants, and consultants, but have limited visibility into how that data is secured. Most organizations have no idea what security controls their outside counsel implements.

Regulatory Privilege: Attorney-client privilege and work product protections can actually hinder cybersecurity, as firms may be reluctant to share security incidents or audit results that could waive privilege or expose professional liability.

Regulatory Obligations vs. Market Incentives: While lawyers have ethical obligations under ABA Rule 1.6 to protect client confidentiality and "make reasonable efforts to prevent unauthorized access," there's little market pressure to invest in advanced security until after a breach occurs.

Cross-Client Contamination: A single breach at a law firm doesn't just affect one client—it can expose confidential information from dozens of clients simultaneously, as attackers gain access to shared infrastructure and document management systems.

The Fourth-Party Problem

The Goldman Sachs-Fried Frank incident illustrates what security professionals call "fourth-party risk"—risk from your vendors' vendors. Goldman Sachs likely has sophisticated third-party risk management (TPRM) programs, vendor security assessments, and contractual security requirements. But do they audit the security practices of every law firm, accounting firm, and consultant those vendors use?

The interconnected nature of professional services creates cascading risk:

Your law firm uses a document management vendor
That vendor uses a cloud infrastructure provider
That cloud provider uses third-party monitoring tools
Each link in this chain represents potential exposure

According to TPRM research, 28% of federal government agencies exchange data with 5,000+ third parties. Professional services firms often sit at the nexus of these complex vendor ecosystems, aggregating risk across multiple organizations.

The Human Factor: How Breaches Actually Happen

While the Fried Frank incident hasn't disclosed the specific attack vector, industry data reveals the most common entry points for law firm breaches:

88% of data breaches involve human error, according to Stanford/Tessian research
80% of law firms use spam filters as their primary cybersecurity tool—focusing on prevention rather than assuming compromise
Lawyers are particularly vulnerable to sophisticated phishing attacks disguised as court documents, client communications, or urgent legal deadlines

Real Example: Ascension Healthcare's 2024 ransomware attack began when an employee mistakenly downloaded a malicious file, leading to $1.8 billion in operating margin losses.

Ransomware Evolution

The ransomware threat has evolved dramatically, with the ALPHV/BlackCat group (involved in major law firm attacks) demonstrating sophisticated tactics that include corrupted insiders in the incident response industry:

500% increase in average ransom payments (now $2 million average)
Double extortion tactics: encrypt systems AND threaten to leak stolen data
Triple extortion: Add DDoS attacks or threats to notify clients/regulators
Ransomware-as-a-Service (RaaS): ALPHV/BlackCat and similar operations have professionalized cybercrime

Unpatched Vulnerabilities

The "regreSSHion" OpenSSH vulnerability discovered in 2024 highlighted how critical infrastructure vulnerabilities can persist unpatched, especially in professional services firms that lack dedicated security teams.

Insider Threats and Credential Compromise

The DigitalMint investigation into alleged cooperation between ransomware negotiators and attackers revealed how trusted insiders can become threat vectors—particularly relevant for professional services firms where individual employees have broad access to client data and incident response teams may have conflicts of interest.

The Economics of Professional Services Breaches

Direct Costs

For Law Firms:

Average breach cost: $5.08 million
Legal settlements: $8.5 million (Gunster example)
Forensics and incident response: $50,000-$500,000+
Regulatory fines and penalties
Credit monitoring for affected individuals

For Clients:

Notification costs across multiple client bases
Potential regulatory investigations
Loss of privileged communications
Competitive intelligence exposure
Reputational damage

Indirect Costs

Market Impact:

37% of legal clients willing to pay premium for firms with strong cybersecurity
Client defection after breaches
Increased insurance premiums (50%+ surge in cyber insurance costs)
Loss of competitive bidding opportunities

Operational Disruption: The CDK Global automotive dealership software attack (June 2024) resulted in $1 billion+ in losses, demonstrating how professional services disruptions cascade through entire industries.

What Makes This Different: The Goldman Sachs Response

Goldman Sachs' handling of the Fried Frank breach reveals several important lessons:

Transparency Under Pressure

Despite the reputational risk, Goldman sent detailed notifications to affected investors on December 19, 2024, before the full scope was understood. This transparency, while legally required in many jurisdictions, demonstrates evolving expectations around third-party breach disclosure.

System vs. Data Distinction

Goldman's emphasis that "Goldman Sachs' systems were not impacted" is technically accurate but highlights a critical distinction: system security doesn't equal data security when third parties hold your data.

Ongoing Analysis

The acknowledgment that analysis is "ongoing" weeks after notification is realistic but concerning—it suggests the breach scope, duration, and specific data compromised may still be unknown.

The Regulatory and Legal Landscape

ABA Ethical Obligations

ABA Rule 1.6: Confidentiality of Information Requires lawyers to make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."

ABA Formal Opinion 483 Provides guidance on lawyers' obligations to protect confidential information from cyberattack, including:

Periodic security assessments
Employee training
Due diligence on vendor security
Incident response planning

The Gap: Only 34% of law firms have incident response plans despite 80% having cyber insurance.

State Breach Notification Requirements

All 50 U.S. states have data breach notification laws with varying requirements (use our comprehensive State Breach Notification Requirements Tracker to navigate these complexities):

Timeline for notification (typically 30-90 days)
Threshold for notification (often when "harm" is reasonably likely)
Content requirements (what information must be disclosed)
Regulatory reporting obligations

The patchwork of state laws creates compliance complexity for national law firms and their clients.

Cyber Insurance Considerations

The Denial Risk: Cyber insurance carriers are increasingly scrutinizing law firm policies:

Pre-breach security assessments required
Multi-factor authentication mandates
Incident response plan requirements
Exclusions for "failure to maintain reasonable security"

The Coverage Question: When a law firm is breached, whose insurance pays?

Law firm's professional liability insurance?
Law firm's cyber insurance?
Client's cyber insurance?
Contractual indemnification provisions?

The Fried Frank incident will likely test these coverage boundaries.

Building Resilient Professional Services Security

For Organizations Using Professional Services Firms

1. Vendor Security Due Diligence

Move beyond questionnaires to substantive assessment:

SOC 2 Type II audit requirements
Penetration testing results
Incident response plan documentation
Cyber insurance evidence and coverage limits
Security awareness training programs
Multi-factor authentication verification

2. Contractual Protections

Include specific security requirements:

Encryption standards (data at rest and in transit)
Access control requirements
Incident notification timelines (24-48 hours)
Indemnification provisions
Right to audit security controls
Data deletion requirements upon engagement termination

3. Data Minimization

Share only necessary information:

Avoid sending full databases when samples suffice
Redact non-essential personal information (use our PII Sensitive Data Compliance Navigator to understand which data types are considered sensitive across states)
Use secure file transfer systems, not email
Implement data retention policies

4. Continuous Monitoring

Don't treat vendor risk as a "check the box" annual exercise:

Subscribe to breach notification services
Monitor dark web for vendor mentions
Require quarterly security updates
Conduct periodic security reviews
Track vendor security incidents in your ecosystem
Learn from insider threat case studies that demonstrate why offboarding and access revocation matter

For Law Firms and Professional Services Providers

1. Security as Competitive Advantage

The market is shifting—37% of clients will pay premium for strong security:

Obtain and publicize SOC 2 certification
Implement ISO 27001 frameworks
Showcase security investments in RFP responses
Create client security portals showing measures in place

2. Defense in Depth

Layer security controls:

Email security (advanced anti-phishing)
Endpoint detection and response (EDR)
Network segmentation (client data isolation)
Zero-trust architecture
Privileged access management
Data loss prevention (DLP)

3. Incident Response Preparedness

The 34% of firms without IR plans are negligent:

Develop and test incident response procedures
Identify response team (internal + external counsel)
Pre-engage forensics firm
Establish communication protocols
Create client notification templates
Conduct tabletop exercises quarterly

4. Security Awareness Culture

Technology alone won't prevent the 88% of breaches caused by human error:

Monthly phishing simulations
Role-specific security training
Executive cybersecurity briefings
Security champions program
Incident reporting incentives (not punishment)

5. Cyber Insurance with Teeth

Don't just buy coverage—understand it:

Know coverage limits and sub-limits
Understand exclusions (especially "failure to maintain reasonable security")
Verify breach response services included
Test notification procedures with insurer
Review coverage annually as practice evolves

The Broader Implications: Third-Party Risk in the Age of Interconnection

The Systemic Risk Problem

Professional services firms create systemic risk concentrations:

A handful of elite law firms serve most Fortune 500 companies
"Big Four" accounting firms dominate public company audits
Major consulting firms have broad access across industries

If one of these firms suffers a significant breach, the cascading impact could affect entire sectors. Financial regulators have begun focusing on these "too interconnected to fail" scenarios.

The Nation-State Threat

According to the UK's National Cyber Security Centre (NCSC), state-sponsored attacks targeting critical national infrastructure have jumped from 20% to 40% of all attacks. Professional services firms serving government contractors, defense companies, and critical infrastructure operators are prime espionage targets.

The Check Point breach (2024) demonstrated how even cybersecurity vendors documenting threats became victims—applying this lesson to law firms handling classified information, trade secrets, or sensitive government work should concern policymakers.

The Generative AI Complication

As professional services firms rapidly integrate AI tools into their workflows:

82% of security professionals worry about AI-enabled attacks
Enterprise employees input confidential data into ChatGPT 199 times weekly on average
Many SaaS providers have integrated LLMs without client notification
AI hallucinations could expose confidential information
Prompt injection and data poisoning attacks create new vectors

The intersection of AI adoption and professional services creates unprecedented risk.

Lessons from the Fried Frank Breach

For Executive Leadership

1. Third-Party Risk is Enterprise Risk The Goldman Sachs board will likely face questions about law firm vendor management. Third-party breaches affect enterprise reputation and client trust just as directly as internal breaches.

2. Vendor Security Assessment is Not Optional Regular, substantive security assessments of critical vendors—including law firms—must become standard practice. The days of assuming professional services firms maintain adequate security are over.

3. Breach Response Speed Matters Goldman's rapid notification to investors (within days) demonstrates appropriate urgency. Delays in notification compound reputational damage and legal exposure.

For Security Professionals

1. The Vendor Risk Program Must Extend to Professional Services If your TPRM program focuses primarily on IT vendors and ignores law firms, consultants, and accountants, you have a critical gap.

2. Fourth-Party Risk Requires Attention Understanding your vendors' vendors is no longer optional for critical relationships. Law firms' document management systems, cloud providers, and collaboration tools all represent potential exposure.

3. Continuous Monitoring Beats Point-in-Time Assessment Annual vendor security questionnaires are insufficient. Real-time monitoring of vendor security posture, breach notifications, and dark web mentions should be standard.

For Legal and Compliance Teams

1. Ethical Obligations Meet Business Reality Lawyers' duty to protect client confidentiality under Rule 1.6 now explicitly includes cybersecurity measures. Firms failing to implement reasonable security face both malpractice and ethical violations.

2. Contractual Protections Must Evolve Standard engagement letters should include specific security requirements, breach notification timelines, and indemnification provisions. Generic confidentiality clauses are insufficient.

3. Insurance Coverage Requires Review The intersection of professional liability, cyber insurance, and client indemnification creates complex coverage questions that should be addressed before incidents occur.

The Path Forward: Building Trust in the Age of Interconnection

The Goldman Sachs-Fried Frank breach represents more than another data security incident—it's a wake-up call about the fundamental trust relationships underlying modern business.

When you hire a law firm, you're not just buying legal expertise—you're entrusting them with your most sensitive information and, implicitly, trusting their cybersecurity infrastructure, their vendors' security, and their employees' security awareness. The same applies to accountants, consultants, and any professional services provider handling confidential data.

The Trust Equation is Changing

Clients are beginning to ask:

"What security certifications do you hold?"
"When was your last penetration test?"
"Do you have cyber insurance, and what are the limits?"
"What's your incident response plan?"
"How do you protect our data from your vendors' breaches?"

Professional services firms that can't answer these questions substantively will increasingly lose business to competitors who can.

The Regulatory Reckoning Approaches

Regulators are taking notice of professional services security:

Enhanced scrutiny of audit firm cybersecurity (PCAOB)
Focus on law firm data protection (state bar associations)
Consultation on third-party risk management standards (financial regulators)
Potential mandatory security standards for professional services

The voluntary, self-regulated approach that has characterized legal and accounting profession cybersecurity may be ending.

The Market Solution

Ultimately, market forces may drive change faster than regulation:

Clients demanding security certifications in RFPs
Cyber insurance carriers requiring specific controls
Breach settlements creating financial consequences
Competitive differentiation based on security posture

Law firms and professional services providers that invest in security today will have competitive advantages tomorrow.

Conclusion: Your Law Firm is Your Liability Until They Prove Otherwise

The Goldman Sachs-Fried Frank Harris Shriver & Jacobson breach crystallizes an uncomfortable truth: in our interconnected digital economy, your organization's security is only as strong as your least secure critical vendor—and professional services firms have emerged as high-risk weak links.

The core lessons:

Professional services firms are prime targets because they aggregate sensitive data from multiple high-value clients
Traditional security assumptions no longer apply—prestige, reputation, and professional standing don't correlate with cybersecurity maturity
Third-party breaches create first-party consequences—clients face notification obligations, reputational damage, and potential regulatory scrutiny
The legal and ethical frameworks are evolving—both formal regulation and market expectations are demanding stronger security
Proactive vendor risk management is essential—organizations must substantively assess and continuously monitor professional services vendor security

For organizations working with law firms, accounting firms, and consultants: demand transparency, require substantive security controls, and build contractual protections. Your vendor's security incident will become your data breach notification.

For professional services firms: recognize that cybersecurity has become a core professional competency and competitive differentiator. Clients are watching, regulators are focused, and the market is shifting. Investment in security today prevents devastating breaches tomorrow.

The question is no longer "Could our law firm be breached?" but "When our law firm is breached, will we discover it in time, and will we have the protections in place to manage the fallout?"

Immediate Actions for Organizations

If you work with Fried Frank Harris Shriver & Jacobson:

Monitor for notification letters regarding the breach
Review engagement agreements for breach notification requirements
Contact the firm directly for status updates
Consider credit monitoring and identity theft protection
Document any suspicious activity related to exposed information

If you work with any professional services firm:

Conduct immediate security assessment of critical vendors
Review and strengthen contractual security requirements
Implement continuous vendor risk monitoring
Develop third-party breach response procedures
Assess cyber insurance coverage for vendor breach scenarios

If you are a professional services firm:

Conduct comprehensive security assessment
Develop or update incident response plan
Implement multi-factor authentication across all systems
Establish regular security awareness training
Consider SOC 2 Type II certification
Review cyber insurance coverage and exclusions

Additional Resources

For Professional Services Security:

ABA Cybersecurity Legal Task Force: https://www.americanbar.org/groups/cybersecurity/
AICPA SOC 2 Reporting: https://www.aicpa.org/soc2
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework

For Vendor Risk Management:

Shared Assessments SIG Questionnaire: https://sharedassessments.org/
ISO 27001 Information Security Management: https://www.iso.org/isoiec-27001-information-security.html

For Incident Response:

CISA Incident Response Resources: https://www.cisa.gov/incident-response
SANS Incident Handler's Handbook: https://www.sans.org/

Breach Notification Requirements:

State-by-State Guide: https://notification.breached.company/
Sensitive Data Classification Tool: https://breached.company/game-changer-for-breach-response-new-tool-instantly-maps-sensitive-data-across-all-19-u-s-state-privacy-laws/
Understanding State Breach Reporting: https://breached.company/complex-web-of-data-breach-reporting-each-us-state/

For updates on this developing story and analysis of other major breaches, visit breached.company

About This Analysis

This article synthesizes breaking news reports, industry research, legal filings, and cybersecurity trend data to provide comprehensive context on the Goldman Sachs-Fried Frank breach and the broader professional services supply chain risk crisis. Information is current as of December 27, 2024, and may be updated as additional details emerge.

Corrections or tips: Contact via the CISO Marketplace at https://cisomarketplace.com

Related Coverage on Breached.Company: