[{"data":1,"prerenderedAt":131},["ShallowReactive",2],{"article-slug-docketwise-data-breach-impacts-over-116000-individuals":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":21,"sources":22,"events":35,"mitre_techniques":42,"mitre_mitigations":59,"d3fend_countermeasures":87,"iocs":102,"cyber_observables":103,"tags":114,"extract_datetime":121,"article_type":122,"impact_scope":123,"pub_date":32,"reading_time_minutes":130,"createdAt":121,"updatedAt":121},"c57ef076-5f8e-48d2-9c1a-c50f6605bf8c","docketwise-data-breach-impacts-over-116000-individuals","Immigration Law Platform DocketWise Discloses Breach Affecting Over 116,000 People","DocketWise Data Breach Exposes Sensitive Personal Information of 116,666 Individuals","DocketWise, a cloud-based case management platform for immigration lawyers, has reported a data breach that exposed the highly sensitive personal information of 116,666 individuals. The breach, discovered in October 2025, occurred when an unauthorized actor gained access to a third-party partner repository containing law firm records. The compromised data includes names, Social Security numbers, passport numbers, financial details, and medical information, posing a significant risk of identity theft and fraud.","## Executive Summary\n**DocketWise**, a provider of cloud-based case management software for immigration law firms, has disclosed a significant data breach affecting 116,666 individuals. The incident stemmed from unauthorized access to a data repository managed by a third-party partner. An unauthorized actor used valid credentials to access and copy files containing extensive and highly sensitive records from DocketWise's law firm customers. The exposed data includes a vast range of Personally Identifiable Information (PII), such as Social Security numbers, passport numbers, financial account details, and medical information. The breach, which was first identified in October 2025, highlights the critical risks associated with supply chain security and the immense sensitivity of data handled by legal tech platforms.\n\n## Threat Overview\nThis incident is a classic example of a supply chain data breach, where the compromise of a third-party vendor led to the exposure of a primary organization's data.\n- **Attack Vector:** Unauthorized access to a third-party repository using valid credentials ([`T1078 - Valid Accounts`](https://attack.mitre.org/techniques/T1078/)). The source of these credentials (e.g., phishing, brute force, info-stealer malware) was not disclosed.\n- **Targeted Data:** The attackers specifically targeted and copied files containing law firm records. This indicates a deliberate effort to obtain high-value, sensitive data.\n- **Data Exfiltration:** The actor copied data from the repository, constituting a confirmed data exfiltration event ([`T1537 - Transfer Data to Cloud Account`](https://attack.mitre.org/techniques/T1537/)).\n\n## Technical Analysis\nThe core failure appears to be in the security posture of a third-party partner. The use of \"valid credentials\" suggests a potential lack of robust access controls, such as **[Multi-Factor Authentication (MFA)](https://www.cisa.gov/mfa)**, on the repository. It also raises questions about how these credentials were managed and protected. Once the attacker gained access, they were able to exfiltrate a large volume of data, suggesting insufficient data access monitoring or Data Loss Prevention (DLP) controls on the repository.\n\nThe incident underscores the principle that an organization's security is only as strong as its weakest link, which often lies within its supply chain. DocketWise, as the data controller, remains responsible for protecting its clients' data, even when it is stored or processed by a third-party partner.\n\n## Impact Assessment\nThe impact of this breach is extremely severe for the 116,666 affected individuals. The compromised data is a 'gold mine' for identity thieves and fraudsters. It includes all the necessary elements to perpetrate sophisticated fraud:\n- **Identity Theft:** Names, dates of birth, SSNs, and passport numbers can be used to open fraudulent accounts, file fake tax returns, or create synthetic identities.\n- **Financial Fraud:** Exposed financial account and payment card information can be used for direct theft.\n- **Targeted Scams:** The data pertains to immigration clients, a particularly vulnerable population. Attackers could use the information to create highly convincing phishing or extortion scams, such as demanding payment to avoid deportation or to expedite a non-existent case.\n- **Medical Identity Theft:** Exposed health insurance and medical information can be used to obtain medical services or prescription drugs fraudulently.\n\nFor DocketWise and its law firm customers, the breach results in massive reputational damage, regulatory fines (under state data breach laws), and the high cost of incident response and potential class-action lawsuits.\n\n## Cyber Observables for Detection\n- **Cloud Repository Access Logs:** Monitor access logs for third-party storage repositories (e.g., AWS S3, Azure Blob Storage) for anomalous access patterns, such as logins from unrecognized IP addresses or unusually large data downloads.\n- **Credential Exposure:** Continuously scan dark web forums and code repositories for leaked credentials belonging to the organization or its third-party vendors.\n\n## Detection & Response\n- **Third-Party Risk Management (TPRM):** Implement a robust TPRM program that includes thorough security assessments of all vendors before they are onboarded. This should include reviewing their security policies, certifications (e.g., SOC 2, ISO 27001), and incident response plans.\n- **Data Access Monitoring:** Enforce logging and monitoring on all data repositories, whether internal or third-party. Use UEBA and data access monitoring tools to alert on anomalous behavior, such as a user account accessing an unusual volume of data.\n- **Incident Response Planning:** Ensure that incident response plans explicitly cover scenarios involving third-party breaches. This includes clear communication channels and contractual obligations for timely notification from the vendor.\n\n## Mitigation\n- **Enforce MFA on Third Parties:** Contractually require all third-party partners who handle sensitive data to enforce MFA on all administrative and data access accounts. This is a non-negotiable control.\n- **Principle of Least Privilege:** Ensure that third-party vendors are only granted the absolute minimum level of access required for their function. They should not have standing access to large datasets unless it is operationally essential.\n- **Data Encryption:** All sensitive data, both at rest in the repository and in transit, must be encrypted. While this would not have prevented this specific breach (as the attacker had valid credentials), it is a foundational security control.\n- **Data Minimization:** Only store the data that is absolutely necessary. Regularly purge old records that are no longer required for legal or business reasons to reduce the potential impact of a future breach.","⚖️ DocketWise, an immigration law software platform, discloses a data breach affecting 116,666 people. A third-party partner was compromised, exposing SSNs, passport numbers, and financial data. 📄 #DataBreach #Privacy #LegalTech","DocketWise, a case management platform for immigration lawyers, has reported a third-party data breach that exposed the sensitive personal information of 116,666 individuals.",[13,14,15],"Data Breach","Supply Chain Attack","Policy and Compliance","high",[18],{"name":19,"type":20},"DocketWise","company",[],[23,29],{"url":24,"title":25,"date":26,"friendly_name":27,"website":28},"https://www.classaction.org/news/docketwise-data-breach-affects-116k-lawsuit-possible","DocketWise Data Breach Affects 116K, Lawsuit Possible - Class Action","2026-04-06","ClassAction.org","classaction.org",{"url":30,"title":31,"date":32,"friendly_name":33,"website":34},"https://www.securityweek.com/250000-affected-by-data-breach-at-nacogdoches-memorial-hospital/","250,000 Affected by Data Breach at Nacogdoches Memorial Hospital","2026-04-03","SecurityWeek","securityweek.com",[36,39],{"datetime":37,"summary":38},"2025-10-01T00:00:00Z","DocketWise discovers unauthorized access to a third-party partner repository.",{"datetime":40,"summary":41},"2026-04-03T00:00:00Z","DocketWise begins sending data breach notification letters to affected individuals.",[43,47,51,55],{"id":44,"name":45,"tactic":46},"T1199","Trusted Relationship","Initial Access",{"id":48,"name":49,"tactic":50},"T1078","Valid Accounts","Defense Evasion",{"id":52,"name":53,"tactic":54},"T1213","Data from Information Repositories","Collection",{"id":56,"name":57,"tactic":58},"T1537","Transfer Data to Cloud Account","Exfiltration",[60,69,78],{"id":61,"name":62,"d3fend_techniques":63,"description":67,"domain":68},"M1032","Multi-factor Authentication",[64],{"id":65,"name":62,"url":66},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","Requiring MFA for access to sensitive data repositories would have likely prevented this breach, as the attacker's stolen credentials alone would have been insufficient.","enterprise",{"id":70,"name":71,"d3fend_techniques":72,"description":77,"domain":68},"M1026","Privileged Account Management",[73],{"id":74,"name":75,"url":76},"D3-DAM","Domain Account Monitoring","https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring","Applying the principle of least privilege to third-party accounts ensures that even if compromised, they only have access to the minimum data necessary, limiting the breach's impact.",{"id":79,"name":80,"d3fend_techniques":81,"description":86,"domain":68},"M1047","Audit",[82],{"id":83,"name":84,"url":85},"D3-SFA","System File Analysis","https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis","Continuously auditing and monitoring access logs for data repositories can help detect anomalous activity, such as large-scale data downloads, indicative of a breach.",[88,90,96],{"technique_id":65,"technique_name":62,"url":66,"recommendation":89,"mitre_mitigation_id":61},"To prevent supply chain breaches like the one at DocketWise, which was caused by compromised credentials at a third-party partner, organizations must contractually mandate the use of MFA for all vendor access to their data. This should be a non-negotiable clause in all vendor contracts. The requirement should specify phishing-resistant MFA, such as FIDO2 hardware keys, where possible. DocketWise should have ensured that any partner repository hosting their client data had MFA enforced for all administrative and data access accounts. This simple control would have rendered the attacker's stolen credentials useless, preventing the breach entirely. Verifying this control through regular vendor security assessments is a critical part of a Third-Party Risk Management (TPRM) program.",{"technique_id":91,"technique_name":92,"url":93,"recommendation":94,"mitre_mitigation_id":95},"D3-RAPA","Resource Access Pattern Analysis","https://d3fend.mitre.org/technique/d3f:ResourceAccessPatternAnalysis","To detect a breach in a third-party repository, DocketWise or its partner should have been performing resource access pattern analysis. This involves instrumenting the data repository to log all access events and feeding those logs into a security analytics platform. The platform would then baseline normal access patterns for the vendor's service accounts. A detection rule should have been in place to alert on significant deviations, such as: 1) Access from an IP address or geographic location not associated with the vendor. 2) A massive increase in the volume of data being read or downloaded by a single account. 3) Access to a large number of distinct files or records in a short time frame. Any of these would have indicated the credential compromise and data exfiltration activity, allowing for a much faster response than the months it took to discover this incident.","M1040",{"technique_id":97,"technique_name":98,"url":99,"recommendation":100,"mitre_mitigation_id":101},"D3-ITF","Inbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering","Access to sensitive third-party data repositories should be strictly controlled via inbound traffic filtering. The repository that hosted DocketWise's data should have been configured to only accept connections from a pre-approved list of IP addresses belonging to the vendor's legitimate operational infrastructure. All other access from the public internet should have been blocked at the network level. This simple network control would have prevented the attacker from using their stolen credentials, unless they also managed to compromise the vendor's internal network. This creates an additional layer of defense and significantly raises the bar for the attacker. This control should be a standard requirement in any organization's TPRM program for vendors handling sensitive data.","M1031",[],[104,109],{"type":105,"value":106,"description":107,"context":108,"confidence":16},"log_source","Cloud Storage Access Logs","Logs from services like AWS S3 or Azure Blob Storage are essential for detecting unauthorized access to third-party repositories.","SIEM, Cloud Security Monitoring",{"type":110,"value":111,"description":112,"context":113,"confidence":16},"user_account_pattern","Third-party service accounts","Monitor the activity of accounts used by vendors for anomalous patterns, such as accessing data outside of business hours or downloading unusually large volumes of files.","IAM logs, UEBA",[115,116,117,118,119,120],"PII","supply chain","third-party risk","legal tech","GDPR","identity theft","2026-04-03T15:00:00.000Z","NewsArticle",{"geographic_scope":124,"countries_affected":125,"industries_affected":127,"people_affected_estimate":129},"national",[126],"United States",[128],"Legal Services","116,666",5,1775683824462]