According to court records, the Securities and Exchange Commission has sued law firm Covington & Burling for information on roughly 300 clients whose information was accessed or taken by hackers in a previously unknown incident.
According to a lawsuit filed Tuesday by the SEC, hackers associated with the Hafnium cyber-espionage group, which has alleged ties to the Chinese government, gained access to Covington’s computer networks around November 2020, accessing private information about the firm’s clients, including 298 publicly traded companies.
The agency has asked a federal judge in Washington, D.C., to order Covington to comply with a subpoena demanding the names of the corporations, claiming that it is investigating possible securities offenses related to the hack.
A spokesman for the SEC declined to comment.
Covington’s legal team stated in a letter to SEC investigators that an internal probe revealed the breach was directed at a “limited group of lawyers and consultants” and was focused on “policy matters of particular importance to China in light of the incoming Biden Administration.”
The company is headquartered in Washington, D.C. Covington specializes in regulatory work and litigation. It has a strong pool of federal government lawyers on its roster, including former U.S. Attorney General Eric Holder.
The legal firm informed the SEC it is bound by attorney-client privilege and client confidentiality to resist the portion of the subpoena requiring it to name its clients. According to the SEC’s lawsuit, it said only seven of the affected companies’ files contained information that could be material to investors, a figure the commission said it could not verify.
According to Covington, the firm was the victim of a “state-sponsored” cyberattack. According to a firm spokeswoman, the company contacted potentially affected clients and collaborated with the FBI to investigate the incident.
The SEC, which has made cybersecurity a primary priority during the Biden administration, said in a filing that Covington’s standing as a large law firm does not “insulate it from the Commission’s legitimate investigative responsibilities.”
Kevin Rosen, a lawyer at the legal firm Gibson, Dunn & Crutcher defending Covington, branded the SEC’s demand a “fishing expedition” and a “broad assault on the attorney-client relationship and personal client information.”