Wiley Rein Sued Over 11-Month Data Breach, Delayed Client Notification

3 min readSources: Above the Law

On May 22, 2026, Wiley Rein was sued following an 11-month cyberattack exposing client data.

Why it matters: Legal professionals must recognize growing risks from law firm cyber breaches involving sensitive client info. This case highlights pitfalls of delayed breach detection and notification, core to compliance and client trust.

  • Hackers accessed Wiley Rein’s Microsoft 365 accounts from July 2024 to June 2025.
  • The firm discovered the breach in June 2025 but only notified victims in March 2026.
  • Exposed information included names, birth dates, Social Security numbers, financial data, and medical info.
  • The class-action filed May 22, 2026, asserts Wiley Rein lacked multi-factor authentication and adequate cybersecurity training, citing 19 fraudulent charges on plaintiff Derrick Burkett’s account.

Wiley Rein LLP, a Washington, D.C.–based law firm, faces a class-action lawsuit filed May 22, 2026, in the U.S. District Court for the District of Columbia after a prolonged cyberattack.

Hackers accessed employee Microsoft 365 email accounts for 11 months, from July 2024 to June 2025. Although Wiley Rein detected the breach in June 2025, it delayed notifying affected clients and employees until March 2026 (Law360), raising questions about compliance with breach notification laws.

The breach exposed sensitive personal data, including names, birth dates, Social Security numbers, financial accounts, and medical information. Such data exposure heightens risks of identity theft and financial fraud.

The complaint accuses Wiley Rein of failing to implement multi-factor authentication (MFA)—a standard cybersecurity control that requires multiple forms of user verification—and insufficient employee cybersecurity training. Plaintiff Derrick Burkett claims the breach resulted in at least 19 unauthorized transactions on his MetLife estate account (Law360).

By delaying notification, the firm allegedly increased victims' vulnerability to identity theft by not providing timely warnings to monitor financial accounts or credit reports. The lawsuit seeks restitution, damages, and court-ordered enhancements to the firm’s cybersecurity practices.

Cybersecurity experts stress that MFA and prompt breach notification are essential—not optional—for legal firms protecting confidential client information (Center for Internet Security). The incident underscores the growing legal and reputational risks law firms face amid escalating cyberattacks.

For general counsel and legal operations professionals, this case highlights the importance of proactive security measures and compliance with data breach laws to safeguard clients and minimize litigation exposure.

By the numbers:

  • 11 months — duration hackers accessed Wiley Rein’s Microsoft 365 accounts
  • March 2026 — date Wiley Rein notified breach victims, nine months after discovery
  • 19 — unauthorized charges on plaintiff Derrick Burkett’s MetLife estate account linked to the breach

Yes, but: The lawsuit focuses on allegations that have yet to be proven in court; Wiley Rein may contest claims regarding cybersecurity measures and notification timing.

What's next: Monitor developments as the class-action progresses; expect potential industry-wide scrutiny on law firms’ cybersecurity and breach notification practices.