It started, as these things often do, with activity that didn’t look dangerous.
Grubman Shire Meiselas & Sacks was not a careless firm. It was one of the most well-known entertainment law firms in the United States, trusted with contracts, negotiations, and personal data whose value lay entirely in confidentiality.
In 2020, the firm suffered a ransomware attack that led to large-scale data exfiltration and public leaks when ransom demands were not met (Reuters, 2020). What followed was not just a technical incident, but a reputational crisis.
Public reporting never confirmed how the attackers initially gained access. And that uncertainty is important. In many professional services breaches, the entry point is never disclosed - or never fully known.
What did become clear was what happened after access was obtained.
Once attackers were inside, a vast amount of sensitive material became reachable. Private correspondence. Draft agreements. Client documents. Identity collapsed in a way that allowed attackers to move, observe, and extract information at scale.
This is where email enters the story - not as the confirmed vulnerability, but as a force multiplier.
Email-based workflows increased the impact of the breach. Identity was inferred from addresses and familiarity rather than explicitly verified. Documents and decisions flowed through inboxes designed for speed, not containment. Once access controls failed, email-centric trust models made it difficult to limit the blast radius.
In other words, the breach wasn’t defined only by how attackers got in - but by how much trust unraveled once they did.
This pattern is familiar across professional services. In accounting and advisory firms, attackers have compromised access and then quietly monitored email traffic to learn invoice flows and client relationships before redirecting payments (FBI IC3, 2023). In HR consultancies, mailbox access has exposed years of personal data, triggering regulatory investigations and long-term reputational damage (ENISA, 2023).
Different sectors. Same dynamic.
Email creates a powerful illusion of legitimacy. If a message appears to come from the “right” person, it feels safe to open, forward, sign, or store. Over time, email replaces proper client onboarding, access-controlled portals, strong employee authentication, and secure document workflows - not by design, but by habit.
Regulation hasn’t broken this pattern. Many firms are operating under intense compliance pressure - ISO requirements, GDPR obligations, sector-specific rules - while the practical reality of work still runs through inboxes. Compliance grows. Actual assurance quietly erodes.
The lesson from incidents like Grubman isn’t that firms need to try harder. It’s that the model itself has reached its limits.
Sensitive work is still handled outside secure client portals. Employees with access to high-risk material still rely on passwords and soft MFA. Documents are shared and signed through emailed links rather than identity-anchored workflows and qualified electronic signatures with local trust anchors.
None of this feels reckless in the moment. Until it becomes public.
This gap between perceived trust and actual assurance is what we’re trying to address with Trust Circle. Not by blaming firms for using email - but by acknowledging reality. Attackers target identity. So the most sensitive work needs to live in spaces where identity is explicit, authentication is strong, and documents don’t spill into inboxes by default.
Email-centric trust has reached its limit, one compromise can unravel a firm’s entire reputation. Trust Circle replaces insecure inboxes with identity-anchored workflows and biometric security.
This story isn’t about one firm. It’s about a way of working that has quietly stretched beyond what it can safely carry.
And the question many professionals are now asking - often only after an incident - is simple:
Why does email still hold so much of our reputation?
Sources (further reading):
Stay up to date with news and trends on digital identity and Qualified Electronic Signature
.svg "ZealiD Logo New (1)"){kind=small}
