Posted July 13, 2026

Pillsbury Winthrop Shaw Pittman LLP (“Pillsbury”) places a priority on the privacy and security of personal information. Pillsbury was one of many firms targeted by sophisticated social engineering attempts in an incident last year. While the firm quickly detected and blocked the activity, an unauthorized actor accessed some of the firm’s documents during a short window of time.  

What happened

Pillsbury was one of many law firms targeted by sophisticated social engineering attempts. While we quickly detected and blocked the activity, unfortunately, an unauthorized actor was able to download a smaller subset of the firm’s documents that were accessed during a short window of time on April 29-30, 2025.  

We immediately began an investigation with assistance from a third-party forensic firm to investigate what happened and what data may have been impacted.  We also notified law enforcement and worked to add further protections to harden our systems. 

Pillsbury notified any impacted clients last year and reviewed the accessed documents for personal information.  Pillsbury then began notifying individuals whose personal information was affected.  That process is now complete, and today, Pillsbury is publishing substitute notice as a final step to provide information included in individual notification letters to individuals for whom the firm has insufficient or out-of-date contact information. 

What personal information was involved

Pillsbury conducted a thorough and analysis of the impacted data to determine what personal information it contained and to whom that information belonged. The analysis of the impacted data identified personal information that varied by individual and could include: Social Security number, national identification number, bank account number, passport number, date of birth, driver's license number, other government-issued identifier, medical information, and health insurance identifiers.

What we are doing

The firm has offered impacted individuals a complimentary 24-month membership for credit monitoring and identity theft protection services through Equifax.   

Pillsbury is committed to safeguarding personal information. Pillsbury has enhanced its security measures and deployed additional technical, administrative, and physical safeguards, including reinforcing our security practices and regularly reviewing our systems to enhance security monitoring and controls. 

What you can do

While we are not aware of any misuse of the impacted data, we encourage individuals who believe they may be affected to take the following precautions:  

  • Remain vigilant against threats of identity theft or fraud and to regularly review and monitor your account statements and credit history for any signs of unauthorized transactions or activity.  
  • Contact your local police if you ever suspect that you are the victim of identity theft or fraud. 

For more information: 

A dedicated call center is set up to answer your questions about this incident. You may call it toll free at +1 (855) 720-3612, Monday through Friday 9 a.m. to 9 p.m. ET (excluding major U.S. holidays). 


Additional information for US residents

U.S. customers are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit reports, visit www.annualcreditreport.com or call toll-free +1 (877) 322-8228. If you see errors on that report, you can contact the relevant credit bureau:

  • Equifax. PO Box 740241, Atlanta, GA 30374 | 1+ (800) 685-1111 | www.equifax.com
  • Experian. PO Box 9701, Allen, TX 75013 | 1+ (888) 397-3742 | www.experian.com
  • TransUnion. PO Box 2000, Chester, PA 19016 | 1+ (888) 909-8872 | www.transunion.com 

Those credit bureaus also have tools you can use to protect your credit, including fraud alerts and security freezes.

  • A fraud alert is a cautionary flag you can place on your credit file to notify companies extending you credit that they should take special precautions to verify your identity. You can contact any of the three consumer reporting agencies to place fraud alerts with each agency. The alert lasts for one year, but you can renew it.
  • A security freeze is a more dramatic step that will prevent others from accessing your credit report, which makes it harder for someone to open an account in your name. You must contact each consumer reporting agency separately to order a security freeze, and they may require you to provide them with your full name, Social Security number, date of birth, and current and prior addresses. There is no charge for requesting a security freeze.

You may contact the U.S. Federal Trade Commission (FTC) for information on fraud alerts, security freezes, and how to protect yourself from identity theft. The FTC can be contacted at 400 7th St. SW, Washington, DC 20024; telephone +1 (877) 382-4357 or www.consumer.gov/idtheft.

Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your state Attorney General, or the FTC.

California residents: Visit the California Office of Privacy Protection (https://oag.ca.gov/privacy) for additional information on protection against identity theft.

District of Columbia residents: The District of Columbia Attorney General may be contacted at: 400 6th Street, NW, Washington, DC 20001; +1 (202) 727-3400, oag@dc.gov and www.oag.dc.gov.

Iowa residents: The Attorney General can be contacted at the Office of Attorney General of Iowa, Hoover State Office Building, 1305 E. Walnut Street, Des Moines, Iowa 50319; +1 (515) 281-5164, www.iowaattorneygeneral.gov.

Kentucky residents: The Attorney General can be contacted at Office of the Attorney General of Kentucky, 700 Capitol Avenue, Suite 118 Frankfort, Kentucky 40601, www.ag.ky.gov, Telephone: +1 (502) 696-5300.

Maryland residents: The Attorney General can be contacted at Office of Attorney General, 200 St. Paul Place, Baltimore, Maryland 21202; +1 (888) 743-0023 or www.marylandattorneygeneral.gov.

Massachusetts residents: Under Massachusetts law, you have the right to obtain any police report filed in connection with the cybersecurity event. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.

North Carolina residents: The Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; +1 (919) 716-6400 or www.ncdoj.gov.

New Mexico residents: You have rights under the federal Fair Credit Reporting Act (FCRA), which governs the collection and use of information pertaining to you by consumer reporting agencies. For more information about your rights under the FCRA, please visit https://www.ftc.gov/system/files/ftc_gov/pdf/fcra-march-2026.pdf or www.ftc.gov.

New York residents: The Attorney General can be contacted at the Office of the Attorney General, The Capitol, Albany, NY 12224-0341; +1 (800)-771-7755 or www.ag.ny.gov.

Oregon residents: The Attorney General can be contacted at Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096; +1 (877) 877-9392 (toll-free in Oregon), +1 (503) 378-4400, or www.doj.state.or.us.

Rhode Island residents: The Attorney General can be contacted at 150 South Main Street, Providence, Rhode Island 02903; +1 (401) 274-4400 or www.riag.ri.gov. You may also file a police report by contacting local or state law enforcement agencies.

For Arizona, California, Iowa, Montana, Washington and West Virginia residents: You may obtain one or more (depending on the state) additional copies of your credit report, free of charge. You must contact each of the credit bureaus directly to obtain such additional report(s).