By Mike Scarcella

WASHINGTON, May 26 (Reuters) - Prominent U.S. law firm Wiley Rein has been sued in a proposed class action alleging the firm failed to protect sensitive personal data stolen by hackers believed to be affiliated with the Chinese government.

The lawsuit was filed on Friday in the federal court in Washington by a Florida resident and seeks class-action status for potentially thousands of people.

The complaint alleges that cybercriminals accessed Microsoft 365 email accounts belonging to certain Wiley Rein personnel between July 2024 and June 2025 before the firm detected the intrusion last year.

The stolen data allegedly includes names, addresses, dates of birth, financial account numbers, medical information, and full or partial Social Security numbers, according to the lawsuit. The firm did not begin notifying victims until on or around March 6, 2026, the complaint said.

Wiley Rein and a lead attorney for the plaintiff did not immediately respond to requests for comment.

Wiley Rein acknowledged after an internal probe that "a group that may be affiliated with the Chinese government" carried out the intrusion, according to the lawsuit.

In a notice to at least one victim, Wiley Rein said that the firm was arranging for the person to have 12 months of complimentary credit monitoring, and that it had "taken additional steps to enhance our existing security measures."

Law firms, like other major U.S. businesses, have faced a wave of cyberattacks in recent years. Law firms are particularly attractive targets for sophisticated criminal and state-linked hackers drawn to the vast troves of sensitive client data they hold.

Wiley Rein employs 260 attorneys and is known for its regulatory legal services, including for the telecommunications industry.

The named plaintiff, Derrick Burkett, said he does not know how Wiley Rein came to possess his information, though he believes it was obtained in connection with the firm's representation of a client.

The complaint alleges the breach occurred through a so-called phishing email, and that Wiley Rein failed to implement basic cybersecurity safeguards, including multi-factor authentication and adequate staff training.

“Wiley Rein’s breach differs from typical data breaches because it affects consumers who had no relationship with Wiley Rein, never sought one, and never consented to Wiley Rein collecting and storing their information,” the lawsuit said.

Burkett alleges he suffered at least 19 fraudulent charges to a MetLife estate account following the breach.

The case is Derrick Burkett v. Wiley Rein, U.S. District Court for the District of Columbia, No. 26-cv-1791.

For plaintiff: Michael Fuller Jr of Farrell & Fuller, and David Ackerman of Motley Rice

For defendant: No appearance yet

Read more:

Law firm Jones Day says hackers accessed client files

Law firm Pillsbury faces class actions over April data breach

US law firm Kelley Drye hit with class action after data breach