Executive Summary
The DocketWise data breach, officially disclosed in April 2026, impacted 116,666 individuals, including clients of law firms utilizing the DocketWise immigration case management platform. The breach originated from unauthorized access to valid credentials associated with a third-party partner system, enabling an attacker to clone repositories containing unstructured client data. The compromised information includes names, Social Security numbers, government-issued identification numbers, contact details, financial account data, and health-related information. The breach was first detected in October 2025, with the initial compromise occurring on September 1, 2025, and full discovery on February 19, 2026. There is no evidence of malware deployment or ongoing unauthorized access after the initial incident. DocketWise has offered 24 months of credit monitoring and identity restoration services to affected individuals and has implemented additional security measures. The incident underscores the critical risks associated with third-party credential management and the heightened sensitivity of data in the legal and immigration sectors. All information in this summary is directly supported by official regulatory filings and independent law firm investigations (https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/ea1cd7bf-6a54-40e4-8767-8190a65fbc4d.html, https://www.federmanlaw.com/blog/docketwise-data-breach-investigated-by-federman-sherwood/, https://www.prnewswire.com/news-releases/data-breach-alert-edelson-lechtzin-llp-investigates-docketwise-data-breach-302734965.html).
Technical Information
The DocketWise breach was executed through credential abuse, specifically targeting a third-party partner repository integrated with the DocketWise data migration pipeline. The attacker obtained valid credentials, which allowed access to and cloning of repositories containing unstructured data from law firm customers. This data included highly sensitive personally identifiable information (PII) and protected health information (PHI), such as names, Social Security numbers, government-issued IDs, contact information, financial account details, payment card data, tax IDs, health insurance policy numbers, and medical condition or treatment data. The attack did not involve malware, ransomware, or advanced persistent threats; rather, it relied solely on the use of valid credentials and standard repository cloning tools, likely leveraging protocols such as HTTPS.
The technical progression of the attack began with the compromise of credentials associated with a third-party partner system. The attacker then used these credentials to access and clone repositories linked to DocketWise’s data migration processes. The repositories contained unstructured data, which is data not organized in a pre-defined manner, making it more challenging to monitor and secure. The exfiltrated data was primarily client information from law firms using the DocketWise platform.
No evidence was found of lateral movement within the DocketWise environment, privilege escalation, or the deployment of persistence mechanisms. The breach was contained to the initial credential abuse and repository cloning activity. Third-party cybersecurity experts engaged by DocketWise confirmed that there was no ongoing unauthorized access after the initial incident.
The attack aligns with several MITRE ATT&CK techniques. The initial access vector corresponds to Valid Accounts (T1078), as the attacker used legitimate credentials to gain entry. The collection phase matches Data from Information Repositories (T1213), reflecting the access and cloning of repositories. The exfiltration phase is consistent with Exfiltration Over Web Service (T1567.002), as the data was likely transferred using standard web protocols. These mappings are supported by explicit statements in the primary sources and are assessed with high confidence.
No specific threat actor or group has been attributed to this incident. The attack method is consistent with both financially motivated cybercriminals and state-affiliated actors, but there is no technical evidence, such as unique malware or infrastructure, to support attribution. The use of credential abuse and repository exfiltration is a common tactic in recent supply chain and legal sector breaches, but no direct link to known threat actors has been established.
The breach highlights the particular vulnerability of legal technology providers, especially those handling immigration and sensitive client data. The concentration of PII and PHI in such platforms makes them attractive targets for identity theft, immigration fraud, and financial crime. The incident also demonstrates the risks associated with third-party integrations and the importance of robust credential management and monitoring.
Affected Versions & Timeline
The breach affected the DocketWise platform as used by law firm customers during the period leading up to and including September 1, 2025. The specific versions of the platform are not detailed in public disclosures; however, the compromise was linked to the data migration pipeline and associated third-party partner repositories.
The verified timeline of events is as follows: The breach occurred on September 1, 2025. Suspicious activity was identified in October 2025, when DocketWise detected unauthorized access to credentials associated with a third-party partner system. The breach was formally discovered on February 19, 2026, after a comprehensive investigation. Notification to affected individuals began on April 3, 2026, and public disclosure by law firms and regulatory bodies followed on April 6, 2026.
The total number of individuals affected is 116,666, with 13 Maine residents specifically identified in the official regulatory filing. The compromised data was stored in unstructured repositories connected to the data migration pipeline, and the exposure was limited to clients of law firms utilizing the DocketWise platform during the affected period.
Threat Activity
The threat activity in this incident was characterized by the use of valid credentials to access and clone third-party partner repositories integrated with the DocketWise data migration pipeline. The attacker’s actions were limited to credential abuse and data exfiltration, with no evidence of malware deployment, lateral movement, or persistence mechanisms.
The attack method is mapped to the following MITRE ATT&CK techniques: Valid Accounts (T1078), Data from Information Repositories (T1213), and Exfiltration Over Web Service (T1567.002). The use of valid credentials suggests that the attacker may have obtained them through phishing, credential stuffing, or compromise of the third-party partner, but the exact method of credential acquisition is not specified in the available evidence.
No specific threat actor attribution has been made. The tactics used are common among both financially motivated and state-affiliated actors targeting legal, SaaS, and supply chain environments. The absence of malware or advanced tooling indicates a focus on stealth and efficiency, relying on existing access controls and repository management tools.
The breach exposed highly sensitive data, including PII and PHI, which is particularly valuable for identity theft, immigration fraud, and financial crime. The legal and immigration sectors are increasingly targeted due to the regulatory and reputational risks associated with data exposure. The incident demonstrates the importance of monitoring third-party integrations and enforcing strong credential management practices.
Mitigation & Workarounds
The following mitigation and workaround measures are recommended, prioritized by severity:
Critical: Immediate review and rotation of all credentials associated with third-party partner systems and data migration pipelines. Implement multi-factor authentication (MFA) for all external integrations and administrative accounts to prevent unauthorized access through credential compromise.
High: Conduct a comprehensive audit of all third-party integrations and repository access controls. Restrict repository access to only those accounts and systems that require it, and implement monitoring for anomalous access patterns, such as large-scale cloning or data exfiltration.
Medium: Enhance logging and alerting for repository access and data migration activities. Regularly review access logs for signs of unauthorized activity and ensure that incident response procedures are in place for rapid detection and containment of credential-based attacks.
Low: Provide ongoing security awareness training for staff and partners, emphasizing the risks of credential compromise and best practices for password management and phishing prevention.
DocketWise has already implemented additional security measures and is reviewing its policies to prevent similar incidents. Affected individuals have been offered 24 months of complimentary credit monitoring and identity restoration services through IDX.
References
Maine Attorney General Data Breach Notice (Official Regulatory Filing): https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/ea1cd7bf-6a54-40e4-8767-8190a65fbc4d.html
Federman & Sherwood Law Firm Investigation (Technical Analysis): https://www.federmanlaw.com/blog/docketwise-data-breach-investigated-by-federman-sherwood/
Edelson Lechtzin LLP via PR Newswire (Class Action and Technical Disclosure): https://www.prnewswire.com/news-releases/data-breach-alert-edelson-lechtzin-llp-investigates-docketwise-data-breach-302734965.html
MITRE ATT&CK Techniques: Valid Accounts (T1078): https://attack.mitre.org/techniques/T1078/ Data from Information Repositories (T1213): https://attack.mitre.org/techniques/T1213/ Exfiltration Over Web Service (T1567.002): https://attack.mitre.org/techniques/T1567/002/
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and partners. Our platform enables continuous visibility into third-party integrations, credential management practices, and data access patterns, supporting proactive detection and mitigation of supply chain and credential-based threats. For questions regarding this incident or to discuss how our capabilities can support your organization’s risk management strategy, please contact us at ops@rescana.com.
