Supreme Bar Council of Poland reports third party data breach exposing thousands of lawyers
Learn More
On February 14, 2025, a data breach affecting the Polish legal community was disclosed, impacting thousands of lawyers and trainee lawyers associated with the Supreme Bar Council (Naczelna Rada Adwokacka, NRA) of Poland.
Indicators of the breach were first noted on December 27, 2024, when a group calling themselves "Fredens of Security" posted about an alleged leak from the NRA. The situation escalated on February 14, 2025, when a breach notification was sent at 2:00 AM, followed by the actual data leak occurring at approximately 8:00 PM the same day. By this time, the cybercriminal group's Telegram channel, which had been used to announce the breach, had already been deactivated.
The Supreme Bar Council notified the Office for Personal Data Protection and launched an internal investigation. According to their preliminary findings, the breach likely originated from a third-party vendor developing an IT system for the council, rather than from the NRA's own infrastructure.
The exposed data includes
- 10,337 names
- 9,037 social security (PESEL) numbers
- Password hashes
The NRA has begun notifying affected individuals. The investigation into the breach is ongoing. The Telegram channel associated with the threat actors was deactivated in January 2025, potentially complicating efforts to track the spread of the stolen data.
