Fragomen, Del Rey, Bernsen & Loewy, LLP a legal firm specialising in immigration law, has revealed it has been subject to a serious data leak, exposing both former and current Google staff members’ personal information.

The legal enterprise is among the largest in the United States that currently cover laws concerning immigration. An extensive and international operation, Fragomen employs more than 582 professional attorneys, spread out across 47 different locations around the globe.

Damaging data leak exposes USA employment forms

Google staff members potentially affected by the recent data breach were issued a “Notice of Data Breach” from the law firm, where Fragomen informed them of its responsibility in delivering verification employment services (I-9 Forms) to their employer.

The notification continued on to tell recipients that the legal firm had recently discovered that its enterprise network had been successfully hacked by cyber criminals. It added that the hacker responsible for the intrusion had managed to access a file on the system that contained personal information on Google personnel.

The notification read:

“We recently became aware of suspicious activity within our computer network. While our investigation is ongoing, we discovered that an unauthorized third party gained access to a single file containing personal information relating to I-9 employment verification services. This file contained personal information for a discrete number of Googlers (and former Googlers), including you,” the data breach notification stated.”

Personally Identifiable Information (PII) retained in an I-9 form

An I-9 form is an obligatory document that must be completed fully by all employees working in the United States, in order to declare not only their status of citizenship, but also their right to be employed in the country.

Each instance of a completed form contains an extensive amount of PII. The full name of an employee along with their date of birth and social security number are all included. On top of this, both email and postal mailing addresses, as well as home and mobile telephone numbers are listed. Due to the documentation’s purpose being related to immigration, the I-9 eligibility form may also feature a passport number among other nationality-related data.

Access to this type of sensitive personal information can have hazardous circumstances for those it belongs to, if it falls into the wrong hands. Hackers and other malicious actors in the cybercriminal world can employ it in a wide spectrum of schemes and scams. PII can be used to create high-spec phishing attacks on enterprises and individuals, or can simply be used to steal funds, access accounts and assume identities. Those informed of a data leak should keep a close eye on their associated accounts and credit report, and check for any suspicious transactions.

Although the incident is being investigated by Fragomen, Del Rey, Bernsen & Loewy, LLP no information is currently available on the hacker responsible for the infiltration and subsequent leak, nor how the penetration was able to take place. To make amends to the members of Google’s staff impacted by the breach, the firm has offered a single year of professional credit monitoring free of charge.