Full Report
Chris Dolmetsch and Bob Van Voris report: Goldman Sachs Group Inc. warned investors in some of its alternative investment funds that their data may have been exposed in a breach at one of the bank’s law firms. In a Dec. 19 letter, Goldman said it had been informed of a “cybersecurity incident” by Fried Frank Harris Shriver &... Source
Analysis Summary
# Incident Report: Third-Party Vendor Data Exposure Involving Goldman Sachs Counsel
## Executive Summary
Goldman Sachs disclosed that data belonging to some of its alternative investment fund investors may have been compromised following a cybersecurity incident at Fried Frank Harris Shriver & Jacobson LLP, one of its external law firms. The incident was disclosed via a letter dated December 19th to affected clients. Goldman Sachs confirmed its own systems were not impacted, but the scope of data exposure at the law firm remains under investigation while the firm engages in communication with affected parties.
## Incident Details
- **Discovery Date:** December 19, 2025 (Date Goldman Sachs formally notified affected parties/learned of the incident via the law firm).
- **Incident Date:** Prior to December 19, 2025 (Date of the law firm's "cybersecurity incident").
- **Affected Organization:** Fried Frank Harris Shriver & Jacobson LLP (Third-party vendor/law firm).
- **Sector:** Legal Services (affecting Financial Sector clients).
- **Geography:** Not explicitly stated, but involves Goldman Sachs (US-based) and its counsel.
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Occurred sometime before December 19, 2025).
- **Vector:** Cybersecurity incident affecting Fried Frank's systems. The specific initial vector (e.g., phishing, direct network intrusion) is unknown.
- **Details:** Fried Frank informed Goldman Sachs of the incident.
### Lateral Movement
- **Details:** Unknown. The scope of movement within the law firm's environment is not detailed, although client data was potentially acquired.
### Data Exfiltration/Impact
- **Details:** Data belonging to investors in some of Goldman Sachs’ alternative investment funds may have been exposed (acquired/stolen). Fried Frank expressed belief that the data was "unlikely to be distributed or used improperly," suggesting potential payment of a ransom, though this is unconfirmed.
### Detection & Response
- **Detection:** Fried Frank detected the "cybersecurity incident" internally and then notified Goldman Sachs.
- **Response Actions:**
1. Goldman Sachs began working with Fried Frank to understand the scope of exposure.
2. Fried Frank contained the incident, engaged external data security experts, reported the matter to law enforcement, and began communicating directly with affected clients.
3. A proposed class-action lawsuit was filed against Fried Frank by an investor.
## Attack Methodology
- **Initial Access:** Undetermined cybersecurity incident at the third-party law firm.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Attackers collected data pertaining to Goldman Sachs' alternative investment fund clients from the law firm's environment.
- **Exfiltration:** Unknown, but data was confirmed to be "exposed."
- **Impact:** Exposure/theft of sensitive client investment data.
## Impact Assessment
- **Financial:** Potential costs related to mandatory client notifications, potential litigation costs for Fried Frank, and potential regulatory scrutiny.
- **Data Breach:** Investor data from Goldman Sachs' alternative investment funds. Specific volume or nature of data (beyond being client/investor data) is unknown.
- **Operational:** Fried Frank stated they continue to serve clients without disruption. Goldman Sachs confirmed its own systems remained secure.
- **Reputational:** Negative publicity for both Goldman Sachs (as the victim entity whose client data was compromised via a vendor) and Fried Frank.
## Indicators of Compromise
- No specific network indicators (IPs, URLs) or file hashes were detailed in the provided context.
- **Behavioral Indicators:** Unauthorized access and exfiltration from the systems of Fried Frank Harris Shriver & Jacobson LLP.
## Response Actions
- **Containment:** Fried Frank reported promptly acting to contain the incident.
- **Eradication:** Fried Frank engaged industry-leading, external data security experts to verify system security.
- **Recovery actions:** Fried Frank is currently notifying affected clients.
## Lessons Learned
- Reliance on third-party vendors (especially outside counsel holding sensitive client data) introduces significant, unmitigated risk to an organization’s data security posture, even if the primary organization’s systems are secure.
- The nature of the incident response by the impacted vendor suggests possible obfuscation regarding the full scope of the breach (unanswered questions about why data is "unlikely to be distributed").
## Recommendations
- Conduct rigorous, ongoing security vetting and audits of all third-party vendors, particularly legal counsel and other entities processing sensitive client PII or financial data.
- Review contract language regarding data breach notification timelines and forensic cooperation requirements for third-party incidents.
- Ensure robust data minimization practices are in place, limiting the amount of sensitive client data shared with external counsel to only what is strictly necessary for their representation.