Jeff Anderson & Associates, the St. Paul law firm best known for suing Catholic dioceses over clergy sexual abuse, is now dealing with a crisis of its own. On Feb. 18, 2026, the firm disclosed it had been swept up in a widespread cyberattack, saying the intrusion occurred on Sept. 18, 2025. After negotiations with the attackers, the firm says it paid a ransom in exchange for written assurances that stolen client files would be deleted. Anderson & Associates says it has found no evidence that the information was misused and is offering 24 months of credit monitoring to affected clients.
According to the Star Tribune, the firm began notifying clients in December. A sample notice posted by regulators shows the firm filed a consumer notification with the California Attorney General. That sample notice lists Sept. 18, 2025 as the date of the incident and explains how to enroll in Experian IdentityWorks for 24 months, including a dedicated phone line and email address for questions.
Connection to a Wider SonicWall Compromise
The firm says its breach was part of a broader compromise tied to SonicWall’s MySonicWall cloud backup service, which investigators say exposed firewall configuration backups for numerous customers. Reporting by BleepingComputer describes how a state-sponsored threat actor carried out the September attack and warns that exposed backup files could open the door to follow-on intrusions at victim organizations.
Firm Response and Client Protections
In comments to the Star Tribune, Jeff Anderson & Associates confirmed it paid a ransom and received “written confirmation that the data was securely deleted,” while declining to reveal how much money changed hands. The firm says the type of data exposed varies by client and that its formal investigation wrapped up in December. A sample notice on file with California officials shows the firm is offering affected clients identity restoration services and daily credit monitoring through Experian for two years.
Legal and Ethical Questions
Cybersecurity experts and bar groups note that law firms carry a heightened ethical duty to protect client confidentiality, including supervising outside vendors that handle sensitive information. The New York City Bar's formal opinion on cybersecurity and American Bar Association guidance both highlight duties of technological competence and the difficult tradeoffs firms face when deciding whether to pay extortion demands.
For clients caught up in this breach, the firm’s notice filed with the California Attorney General urges vigilance: review bank and credit statements, consider placing a fraud alert or credit freeze, and use the provided activation code to enroll in Experian monitoring. The situation now shifts to a waiting game over whether any stolen files surface, whether regulators open inquiries, and whether other local firms that used the same firewall backups quietly report similar incidents.
