Full Report
The State Bar of Texas is warning it suffered a data breach after the INC ransomware gang claimed to have breached the organization and began leaking samples of stolen data. [...]
Analysis Summary
# Incident Report: Texas State Bar Data Breach and INC Ransomware Attack
## Executive Summary
The State Bar of Texas suffered a data breach resulting from a ransomware attack claimed by the INC ransomware gang spanning from late January to early February 2025. Threat actors accessed the network and exfiltrated sensitive member information, leading the organization to notify impacted individuals and offer credit monitoring services. The exact initial access vector remains undisclosed, but the incident resulted in the public exposure of partial data samples by the attackers.
## Incident Details
- **Discovery Date:** February 12, 2025
- **Incident Date:** January 28, 2025 – February 9, 2025 (Duration of unauthorized access)
- **Affected Organization:** State Bar of Texas
- **Sector:** Legal/Professional Regulation
- **Geography:** Texas, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Commenced on or around January 28, 2025
- **Vector:** Not explicitly disclosed in the notification.
- **Details:** Unauthorized access to the network was established between January 28 and February 9, 2025.
### Lateral Movement
- Details regarding internal reconnaissance or lateral movement techniques are not explicitly provided in the public summary.
### Data Exfiltration/Impact
- **Date/Time:** Occurred during the access window (Jan 28 – Feb 9, 2025).
- **Details:** Threat actors stole certain information from the network, including full names and other unspecified redacted data belonging to members. Incident concluded with the INC ransomware group claiming the attack and leaking file samples on March 9, 2025.
### Detection & Response
- **Detection:** The breach was discovered on February 12, 2025.
- **Response Actions:** The organization sent notification letters to affected members offering free credit and identity theft monitoring service coverage through Experian until July 31, 2025.
## Attack Methodology
- **Initial Access:** Unknown (Implied as the entry point allowing unauthorized access).
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Data (including full names and other sensitive data) was gathered from the network.
- **Exfiltration:** Data confirmed stolen and subsequently leveraged by the INC gang for extortion, leading to public file leakage samples.
- **Impact:** Data breach resulting from unauthorized access and theft.
## Impact Assessment
- **Financial:** Costs associated with mitigation, notification, and offering identity theft monitoring services (specific figures not provided).
- **Data Breach:** Full names and other unspecified sensitive data belonging to State Bar members.
- **Operational:** Operational impact details are not specified, but the incident required formal breach notification procedures.
- **Reputational:** Negative impact due to a public data breach involving sensitive member data and an associated ransomware claim.
## Indicators of Compromise
- **Network indicators:** None provided (URLs/IPs were not present in the excerpt).
- **File indicators:** Samples of allegedly stolen files, including legal case documents, were leaked by the threat actor on their dark web site.
- **Behavioral indicators:** Unauthorized network access maintained over a 13-day period (Jan 28 – Feb 9, 2025).
## Response Actions
- **Containment:** Implied by the discovery, though specific technical containment steps are not detailed.
- **Eradication:** Not detailed.
- **Recovery:** Members were offered credit and identity theft monitoring services via Experian. Members were advised to consider fraud alerts or credit freezes.
## Lessons Learned
- The incident highlights the ongoing risk of sophisticated ransomware groups like INC targeting regulated professional organizations.
- Gaps existed in either preventative security measures or early detection capabilities, allowing unauthorized access to persist for nearly two weeks before discovery.
## Recommendations
- Conduct a thorough forensic investigation to definitively identify the initial access vector and specific TTPs used by the INC group.
- Immediately review and enhance multi-factor authentication coverage across all critical systems.
- Review and strengthen patching cycles, especially concerning external-facing services often exploited by ransomware gangs.
- Enhance network segmentation and monitoring to detect prolonged unauthorized access more rapidly.