According to Joe Patrice at Above the Law, there has been a cyber incident reported at Ricoh eDiscovery. Here is what Joe reports.

In this article, published back on December 29th, Joe reports that notification of the cyber incident reported at Ricoh started with an “email blasted to customers” the day before that said this:

“Valued customer,

On December 28, Ricoh learned that there may have been unauthorized access to the domain controller for our eDiscovery Services. In an abundance of caution, and for your protection, we have decided to disable external access while we investigate further.”

I saw his first article on Monday and looked for signs of any public statement from Ricoh on the “unauthorized access” that Joe reported but couldn’t find anything. Of course, Ricoh is a big company with a large website, so it may have been there somewhere, but I couldn’t find it.

Joe followed up with a second article with more information yesterday, which said:

“On the morning of New Year’s Eve, the company wrote:

We can confirm that based on forensics analysis, our investigation, and the report from our cybersecurity services partner SecureWorks, there is no indication that data has been accessed or compromised in association with this event. Furthermore, as of today, DBA analysis of the databases reveals no signs of unauthorized access, unexpected log entries or the creation of any new accounts.”

However, on the evening of the 31st, Joe reports that Ricoh followed up with another message, that said this:

“Our investigation reveals no indication that data has been compromised in association with this event, and, as of today. analysis of the databases reveals no signs of unauthorized database access, unexpected database log entries or creation of any new database accounts.”

Joe observed the “awkward phrasing shift from ‘no indication that data has been accessed or compromised’ to ‘no indication that data has been compromised… and no signs of unauthorized database access.’” Hmmm…

He also noted that “RICOH gave customers a doctor’s note to hand judges wondering why document productions are delayed” (a screen shot of which is on his article), likening it to “a note from Epstein’s mom” (yes, I got the reference, Joe – that was one of my favorite shows growing up!).

Joe also reported that Ricoh announced it would be back online at 8am today (which a source tells me they are), so, good for them.

I searched again today for any public statement on the cyber incident reported at Ricoh by Joe, but still found nothing. To my knowledge, they haven’t made any public statement about it – at least yet. If somebody knows otherwise, please send me a link. Normally, I try to find some publicly acknowledged statement from the company before covering but decided to cover what Joe is reporting after his second article. If I do find out about a public statement by Ricoh, I’ll either update this post or do a follow-up post on what they say.

Based on Joe’s report, this is the third example of an eDiscovery company getting hit with a cyber incident in less than 8 months (here are the two instances I reported on last year). The dichotomy in the level of public statements about the incidents is striking. It’s better to control the public narrative yourself than to have a reporter (even a reporter as excellent as Joe) control it for you. Cyber incidents can happen to anybody.

UPDATE (1/4/2023 12:06pm CT): I’m told that they pushed back access to “later in the day” (though that was last night, so it may still be up by now). Here is the notification they reportedly sent:

To Our Valued Customer,

The planned restoration of access to eDiscovery Services at 8:00 a.m. EST tomorrow, January 4, has been extended to later in the day. We are completing all remaining restoration activities, system verification tasks and user access testing. We will notify you as soon as eDiscovery Services are available.

As a reminder, there are no indications that data has been compromised in association with this issue.  

We apologize for any inconvenience this delay may cause and sincerely appreciate your patience while we work as quickly as possible to restore service.

UPDATE (1/4/2023 9:09pm CT): I received an email directly from Ricoh’s Director of Public and Media Relations to notify me that they are back up, as follows:

“Ricoh’s eDiscovery Services are now available.

On December 28 we identified unauthorized activity on our network and took immediate action to safeguard our system.  As a result, and out of an abundance of caution, we temporarily shut down operations related to the eDiscovery system.

Based on our investigation and information from our cybersecurity services partner, there is no indication that data has been accessed or compromised in association with this event.”

So, what do you think? Do these cyber incidents give you pause as to how your discovery data is hosted? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.