The prominent US law firm Wiley Rein has been named in a proposed class-action lawsuit alleging that the firm failed to protect sensitive personal data stolen by hackers believed to be affiliated with the Chinese government.

The complaint alleges that cybercriminals accessed Microsoft 365 email accounts belonging to certain Wiley Rein employees between July 2024 and June 2025 before the company detected the intrusion last year.

The stolen data allegedly includes names, addresses, dates of birth, financial account numbers, medical information, and full or partial Social Security numbers, according to the lawsuit. The company did not begin notifying victims until around March 6, 2026, the complaint alleges.

"The Wiley Rein breach differs from typical data breaches because it affects consumers who had no relationship with Wiley Rein, never sought it out, and never consented to Wiley Rein collecting and storing their information," the lawsuit stated.

This case reminds us of the fragility of cybersecurity systems, especially if we hand over our data to third parties without preventative measures. 

At a time when cyberattacks are so frequent, precautions like two-factor authentication are non-negotiable.

Let's look at a series of scenarios in which the attack could have been prevented.

Scenario 1: Without two-factor authentication
The attacker sends a phishing email, obtains the username and password, logs into Microsoft 365, and can review emails. In this way, they have full access to all the information shared in emails.

Scenario 2: With basic two-factor authentication
With MFA enabled, stealing the password wouldn't be enough. The attacker would also have needed to bypass the second factor: SMS code, push notification, authenticator app, physical token, or similar. In practice, the attack would likely have unfolded as follows:

1. The employee falls for the phishing scam and enters their password.
2. The attacker attempts to log in.
3. Microsoft 365 requests the second factor.
4. If the employee does not approve the request, access is blocked.
5. The incident may be reduced to “stolen credentials” instead of “compromised mailbox.”

Scenario 3: with Phishing-Resistant MFA
The most robust scenario would have been to use physical security keys with certificate authentication. This is especially relevant in legal contexts with access to sensitive information. This method is used in Spain through digital certificates to ensure the security of customer data at all times.

Two-factor authentication does not prevent an attack, but it can prevent a personal data breach.