Security News > 2023 > January > Lawyers slam SEC for 'blatant fishing expedition' after Exchange mega-attack

The US Securities and Exchange Commission has sued international law firm Covington & Burling for details about 298 of the biz's clients whose information was accessed by a Chinese state-sponsored hacking group in November 2020.

In March 2022, the SEC issued a subpoena asking Covington to hand over information about the security breach including, among other things, all of the affected clients' names, and the amount of information that was accessed or stolen, and communications between the law firm and the clients about the exfiltration.

Covington complied with most of the subpoena, but told the SEC it wouldn't be able to produce a full list of affected organizations by the deadline, according to the court documents.

"At the same time, we made clear to the SEC that we cannot voluntarily comply with any attempt by the agency to obtain client confidential information, including the identity of affected clients and attorney-client communications. Against this background, the firm intends to contest the SEC's subpoena enforcement action."

A June 2022 letter [PDF] to the SEC from Gibson Dunn, the law firm that is representing Covington, echoes this statement, and says Covington "Does not have the option of complying" with the subpoena by handing over communications with any of its clients who were affected by the Hafnium attack because they are protected by attorney-client privilege.

In a statement emailed to The Register, Kevin Rosen, a partner at Gibson Dunn, called the SEC lawsuit "a blatant fishing expedition that both targets Covington's clients without even a whiff of wrongdoing and attempts to coerce Covington's complicity in that effort."

News URL

https://go.theregister.com/feed/www.theregister.com/2023/01/12/sec_covington_hafnium/