ACCORDING to DataBreaches[.]Net, SRG gained access to Orrick, Herrington & Sutcliffe LLP in January 2026 and remained in its network for about a week, with the attack not involving malware. Orrick, which has over 25 offices worldwide, reported gross revenue exceeding $1.5 billion in 2025.
The group offered $1,000,000 to resolve the matter, a sum SRG described as far less than requested, and negotiations began in early February 2026, culminating in SRG adding Orrick to its leak site on 23 February 2026 after rejecting higher offers. The data tranche leaked included many files that appeared confidential, with some plaintext and unprotected files relating to litigation and consumer complaints involving StubHub.
DataBreaches notes that Orrick had previously faced a 2023 data breach affecting 461,000 people, and that in the 2024 settlement the firm agreed to security improvements, including enhanced detection, vulnerability scanning, and endpoint protection. SRG claimed to have used a variety of methods to gain access and stated that the firm’s security was improved after the prior incident, yet SRG got past those defenses.