The US Securities and Exchange Commission (SEC) has sued international law firm Covington & Burling for details about 298 of the biz’s clients whose information was accessed by a Chinese state-sponsored hacking group in November 2020.
The data theft in question is the now-infamous Microsoft Exchange attack in which Hafnium exploited four zero-day vulnerabilities in the email platform to steal data from US-based defense contractors, law firms, and infectious disease researchers.
Covington was one of the breached law firms, and the intrusion gave the Beijing-backed cyberspies access to some of Covington’s clients that are regulated by the US agency.
“Covington has admitted that a foreign actor intentionally and maliciously accessed the files of Covington’s clients, including companies regulated by the Commission,” the lawsuit says [PDF]. “In light of this reported breach, the Commission is seeking to determine whether the malicious activity resulted in violations of the federal securities laws to the detriment of investors.”
The law firm, headquartered in Washington, DC, specializes in regulatory and public policy matters and its attorneys include former government officials.
In March 2022, the SEC issued a subpoena asking Covington to hand over information about the security breach including, among other things, all of the affected clients’ names, and the amount of information that was accessed or stolen, and communications between the law firm and the clients about the exfiltration.
Covington complied with most of the subpoena, but told the SEC it wouldn’t be able to produce a full list of