Kerkering Barberio Used One Admin Password, Exposing 4,179 Clients' Data
Kerkering Barberio law firm’s single admin password exposed data of 4,179 people in 2025 breach.
Why it matters: Cybersecurity lapses like this threaten law firms’ client confidentiality and regulatory compliance. Legal professionals must strengthen access controls and breach response protocols to protect sensitive data.
- Kerkering Barberio law firm used one administrative password for all accounts, enabling unrestricted access to sensitive client data.
- Breach discovered May 27, 2025, exposed data on 4,179 individuals, including Social Security numbers, bank details, passports, medical records, and login credentials.
- Firm notified affected individuals on March 13, 2026, almost 10 months after discovery, highlighting breach response delays.
- Recent surveys show 29% of law firms reported security breaches, underscoring systemic cybersecurity vulnerabilities in the legal sector.
The Kerkering Barberio law firm suffered a data breach due to the use of a single administrative password granting universal access to its systems. This outdated security practice put client confidentiality at severe risk, as documented in a report by The Register.
The security incident, discovered on May 27, 2025, compromised sensitive personal information belonging to 4,179 individuals. Data exposed included Social Security numbers, bank account details, passport scans, medical records, and login credentials, according to the official data breach notification.
Despite the breach discovery in May 2025, Kerkering Barberio notified impacted clients only on March 13, 2026. The nearly 10-month delay reflects common challenges in breach response timelines within the legal industry, where thorough investigations and legal considerations often slow notifications.
This incident adds to a troubling industry trend. A recent survey found that 29% of law firms have reported experiencing data breaches, exposing systemic cybersecurity weaknesses. For example, the Blank Rome law firm faced a high-profile breach in May 2026 affecting 57,000 clients, demonstrating the scale of the challenge (LawSnap coverage).
Legal professionals must understand that client data protection hinges on strong access control policies. Relying on a single password opens universal access to sensitive information. Implementing multi-factor authentication (which requires users to provide multiple forms of identity verification) and robust password management are essential steps to reduce cyber risk and comply with regulatory standards.
By the numbers:
- 4,179 individuals — number of clients affected in Kerkering Barberio breach
- May 27, 2025 — date breach was discovered by Kerkering Barberio
- March 13, 2026 — date Kerkering Barberio notified affected individuals
Yes, but: While the firm’s password policy was clearly insufficient, the nearly 10-month delay in notification may also reflect internal investigation complexities and legal compliance processes.
What's next: Legal industry experts expect increased regulatory scrutiny on law firm cybersecurity practices and timely breach reporting in 2026.