St. Paul law firm, famous for clergy sex abuse cases, snared in data breach

A St. Paul law firm well-known for litigating clergy sex abuse cases had its computer systems breached in a cyberattack involving scores of companies nationwide.

In December, Jeff Anderson & Associates began notifying 1,184 of its clients about the data breach, which occured in September, the firm said in a statement to the Minnesota Star Tribune.

Anderson & Associates paid a ransom to hackers to ensure its client data wasn’t released publicly. It declined to say how much.

In a required filing with California regulators, Anderson & Associates did not elaborate on the type of data accessed by hackers.

The exposed data varied by client, the law firm said in a statement to the Star Tribune.

“Each individual that has been notified has received an individual letter indicating their specific data elements,” the statement said.

Anderson & Associates told clients there is no evidence their data has been misused or made public.

Hackers often sell purloined data on the dark web, a bazaar for illegal transactions. Sometimes they demand a ransom to keep information from being released publicly.

Anderson & Associates said in its statement to the Star Tribune that, in return for the ransom, it received “written confirmation that the data was securely deleted.” It didn’t disclose the name of the hacking group.

Jeff Anderson, a personal injury attorney, has long been known nationally for representing victims of child sexual abuse, particularly in suits against Catholic dioceses and religious orders.

Anderson & Associates said the hack occurred on Sept. 18, and that its breach investigation concluded in December. The firm is offering affected clients free access to a credit monitoring service for 24 months.

The hack was part of a much larger breach of firewall protection technology sold by SonicWall, a cybersecurity vendor, the law firm said.

An epidemic of cyberattacks has hit companies and governments over the past several years.

In 2025, the United States experienced a record 3,322 data breaches affecting 227 million people, according to the Identity Theft Resource Center, which has tracked such data for 20 years.

Last year’s largest breach – at educational software provider PowerSchools – hit 71.9 million people nationally, according to the identity theft center. That breach exposed the data of thousands of Minnesota students at 15 public school districts and about 25 charter schools.

Two large Minnesota cyberattacks have been reported just since late December: One involved data from about 235,000 member accounts at Blaze Credit Union; the other concerned records of 304,000 people held by the Minnesota Department of Human Services.

The Blaze breach and the Anderson & Associates hack appear to be related.