A media and entertainment law firm representing high-profile artists like Lady Gaga, Madonna, Nicki Minaj and Bruce Springsteen has verified to clients a recent report that the company’s internal data systems were hacked, potentially exposing a trove of sensitive data.
“We can confirm that we’ve been victimized by a cyberattack,” a rep for Grubman Shire Meiselas & Sacks tells Rolling Stone in a statement. “We have notified our clients and our staff. We have hired the world’s experts who specialize in this area, and we are working around the clock to address these matters.”
Variety reported last week that a hacker group known as “REvil” or “Sodinokibi” claimed it had stolen 756 gigabytes of sensitive documents from the network of the New York law firm. The hackers alleged that the impacted clients included Lady Gaga, Madonna, Minaj, Springsteen, Mary J. Blige, Mariah Carey, Bette Midler, Christina Aguilera, Idina Menzel, Run DMC, Cam Newton, Jessica Simpson, Priyanka Chopra and Ella Mai.
The stolen data allegedly includes phone numbers, email addresses, personal correspondence, contracts and nondisclosure agreements. According to Emsisoft, a cybersecurity software and consulting company, the hackers posted evidence of the theft in a dark web forum that allows users to hide their identities through encryption. One document reportedly released by the group was an excerpt from a contract for Madonna’s 2019-2010 Madame X tour.
Emsisoft threat analyst Brett Callow told Variety that the released info amounts to a “warning shot” — or “the equivalent of a kidnapper sending a pinky finger.” Callow said the implied threat is that the group will publish other stolen data, potentially in installments, if the firm doesn’t pay a specific amount. (It’s currently unknown how much the group may be requesting in exchange for not releasing other materials.)
“Attacks on law firms are particularly concerning due the sensitivity of the information they hold,” Callow said in a statement to Rolling Stone. “For example, previous incidents have resulted in details veterans’ PTSD claims and child neglect cases being published online. And all of this information was posted on the clear web where it could be easily accessed by anybody with an internet connection.”
Callow estimates that U.S. organizations paid more than $1.3 billion in ransom demands last year. “Globally, the annual cost is almost $170 billion,” he added.
The Grubman Shire Meiselas & Sacks website only displays the company logo and, according to Variety, has remained in that state since Saturday morning.