Data Breach Affects Celebrities Like Lady Gaga

Written by Jackson Letson

Jackson brings over 20 years of experience in the technology sector and has held leadership roles in Technical Support, IT Service Management, Network Performance Management, Virtualization, IT Operations Management, and now Managing Partner at NOFTEK.

May 1, 2020

In our last post, we introduced you to Mossack Fonseca, a law firm that went under after a data breaching involving prime ministers and actors. That 2016 case proved that high-individual people can be just as vulnerable to data breaches, if not more so, than your everyday civilians. So does this case involving an entertainment law firm called Grubman Shire Meiselas & Sacks. What happened here?

In 2020, entertainment firm Grubman Shire Meiselas & Sacks became the victim of a data breach by a hacking group known as REvil. Up to 756 gigabytes of data were leaked, among them celebrities’ personal correspondence, email addresses, phone numbers, nondisclosure agreements, and contracts. 

Keep reading to learn more about this very recent case, what the fallout looks like so far, and what you can do to better protect yourself or your business from data breaches like the one at Grubman Shire Meiselas & Sacks. 

Who Is Grubman Shire Meiselas & Sacks?

Grubman Shire Meiselas & Sacks is a New York-based media and entertainment law firm. The firm was founded by Allen J. Grubman, an entertainment lawyer from Crown Heights, Brooklyn. 

Grubman studied at the Brooklyn Law School as well as the City College of New York. After graduating, he struggled to find a job in law, so he decided to start his own firm. This is how Grubman Shire Meiselas & Sacks was born. At this time, in the 1970s, it was called Grubman Indursky & Shire after Arthur Indursky and Paul Schindler, two graduates of Brooklyn Law School in Grubman’s class.

Grubman worked mostly with disco artists for a while, until 1982, when music great Bruce Springsteen signed with the entertainment firm. As of 2005, 30 attorneys were a part of Grubman Shire Meiselas & Sacks. Grubman was once called “the most powerful lawyer in the music business” by Business Week in 1992. 

What Happened?

In May 2020, Grubman Shire Meiselas & Sacks fell victim to a ransomware attack. The hackers, known only as Sodinokibi or REvil, used malware with file encryption to receive 756 gigabytes of personal, internal data from the entertainment law firm’s website. 

At current, the hackers want to exploit the files for money, asking for a ransom and threatening to put the files on the dark web if the ransom isn’t paid. It appears they’re going after each celebrity who’s a client of Grubman Shire Meiselas & Sacks, of which there are many. Some of the celebrities whose information was hacked include:

  • Dwyane Johnson
  • Tom Cruise
  • Nicki Minaj
  • Christina Aguilera
  • Madonna
  • The Kardashians 
  • Elton John
  • Bruce Springsteen
  • Rod Stewart
  • Sean “Puffy” Combs
  • Andrew Lloyd Webber
  • Barbra Streisand 
  • Robert DeNiro
  • David Letterman
  • Jennifer Lopez
  • Mary J. Blige
  • Mariah Carey
  • Jessica Simpson
  • Lady Gaga 

Besides those individual celebrities, some companies associated with Grubman Shire Meiselas & Sacks were also involved in the hacking. These are:

  • Vice Media
  • HBO
  • Sony
  • IMAX
  • iHeartMedia
  • Activision
  • Facebook

What kind of information did the hackers get? A lot of personal data that celebrities especially don’t want getting into the wrong hands, such as nondisclosure agreements, active cases, personal correspondence, contracts and–much more damning–email addresses and phone numbers. 

Now, that’s a lot of major-name celebrities to have personal information for. To prove they’re legit, the hackers posted details of the Madonna Madame X tour, including part of a contractual document. 

The above celebrities and companies may not be the only victims, by the way, but only those we know at current. Grubman Shire Meiselas & Sacks has a huge list of clients. Some other companies besides those listed above that may be involved in the hacking include:

  • Universal Music Group
  • Tribeca Film Festival
  • Spotify
  • Scott Rudin Productions
  • Samsung Electronics
  • Playboy Enterprises
  • Nederlander Organization
  • NBA Entertainment
  • MTV
  • Martha Stewart Living Omnimedia
  • Live Nation
  • IAC
  • Focus Features
  • EMI Music Group
  • Azoff MSG Entertainment

The firm represents these athletes, who could also be hacking victims:

  • Victor Cruz
  • Sloane Stephens
  • Sean Avery
  • Scottie Pippen
  • Mike Tyson
  • LeBron James
  • Henrik Lundqvist
  • Colin Kaepernick
  • Cam Newton

Musicians who are likely clients of Grubman Shire Meiselas & Sacks, besides those above, currently comprise this potential list of hacked stars:

  • The Whitney Houston Estate
  • Sting
  • Lil Wayne
  • Ricky Martin
  • U2
  • The David Bowie Estate
  • Lizzo
  • Maroon 5
  • Timbaland
  • Nas
  • Shania Twain
  • AC/DC
  • Fiona Apple

Those who don’t fit into the above groups but are also clients of the firm (and thus could have been involved in the hack) are:

  • The Osbourne family
  • Naomi Campbell
  • Shay Mitchell
  • Meg Ryan
  • Barbara Walters
  • Sofia Vergara
  • Martha Stewart
  • Diane Sawyer
  • Mariska Hargitay
  • Gayle King
  • David Geffen
  • Clive Davis

It’s believed that more documents will surely follow if there’s a lack of compliance with REvil’s demands. The hacking group had previously successfully hacked a currency exchange company in the UK called Travelex, extorting $2.3 million, all in bitcoin currency, to get their data back. Could the same be true of Grubman Shire Meiselas & Sacks? 

What Were the Consequences?

Considering how recently this case happened, the consequences have not yet fully transpired. Not much is known about the hacking group whose done this, REvil, except that they’ve also hacked the National Association of Eating Disorders, Kenneth Cole, 10X Genomics, and Brooks International as well as the above-mentioned Travelex. It’s unclear if the hacking group got money out of its other victims. 

REvil does seem to be willing to give up a decryption key to unlock the ransomware on Grubman Shire Meiselas & Sacks’ website, but not without them paying for it. As of current, the entertainment firm’s website is unnavigable, with only the name of the firm on the homepage and nothing to click.

This case may not have yet wrapped up, but it’s still easy to envision the catastrophic consequences. Celebrities are often a target of hacks, such as nude photo scandals, but information like contracts, NDAs, email addresses, and phone numbers is far more damaging if it gets out there. These celebrities could be harassed and stalked because of the breach.

Grubman Shire Meiselas & Sacks could be bullied by REvil into paying possibly huge sums, even bigger than Travelex did due to the nature of the breach. The company’s reputation can also easily be irreparably damaged. Their current clients may want to jump ship to a safer alternative, hurting the entertainment firm’s revenue in an already painful economic year. 

What Was Learned?

Just because a law firm has a client roster worth billions of dollars doesn’t mean that firm’s website is exempt from being hacked. It’s unclear as of current which vulnerabilities existed in the Grubman Shire Meiselas & Sacks website, but what we’re certain of is that the site must have had some vulnerabilities to have fallen victim to these current consequences. 

Here are a few takeaways to keep in mind for this case, which is still under development:

  • No matter how well-established you are, your website needs to be secure from top to bottom. That’s doubly, even triply true if you represent celebrities, whose information is worth a lot more if hacked. 
  • You cannot get lax with your security, even during times of a pandemic. Ransomware attacks have become fewer during 2020’s first quarter, but now that the country is reopening, it’s anticipated that ransomware will ramp back up again.
  • By using the Noftek defense system, it’s possible to protect your data from within, prioritizing your security and privacy no matter what kind of business you run. 

You May Also Like…