DocketWise, a widely used US immigration case management platform, suffered a data breach that exposed the personal records of 116,666 individuals. The breach, disclosed to the Maine Attorney General in early April 2026, began in September 2025 when an unauthorized actor used stolen credentials to access cloned repositories within the platform's data migration pipeline. Exposed data includes Social Security numbers, passport information, medical records, and attorney-client privileged case files.

What Happened

An unknown threat actor obtained valid credentials and used them to access DocketWise's data migration pipeline, specifically targeting cloned repositories within that infrastructure. The unauthorized access began in September 2025 and persisted for approximately seven months before public disclosure in April 2026. The extended dwell time suggests the intrusion either evaded monitoring entirely or that detection capabilities within the migration pipeline were insufficient. The breach follows a supply chain attack pattern consistent with the broader threat landscape targeting legal technology vendors, where a single platform compromise yields access to data from hundreds of law firms simultaneously.

What Was Taken

The exposed dataset is exceptionally sensitive, both in content and context:

• Social Security numbers for immigration applicants and petitioners
• Passport data including numbers, nationality, and biographic details
• Medical records submitted as part of immigration proceedings
• Attorney-client case information including asylum applications, deportation defense records, and visa petitions
• Case strategy and privileged communications between attorneys and clients

The 116,666 affected individuals are predominantly immigration applicants, a population facing heightened risk given the current federal enforcement climate. The exposure of asylum and deportation defense records creates immediate physical safety concerns for affected individuals.

Why It Matters

This breach sits at a dangerous intersection that defenders and legal professionals cannot afford to ignore.

For law firms: Every firm that used DocketWise now faces immediate obligations under ABA Model Rules requiring competent vendor oversight. Privilege review under Federal Rule of Evidence 502(b) is triggered for any exposed case files involved in active litigation. Firms that cannot demonstrate reasonable steps to prevent disclosure risk losing privilege protections entirely.

For the immigration community: Exposed asylum records, deportation defense strategies, and personal identifiers create risks that extend beyond identity theft. In a period of intensified immigration enforcement, this data in the wrong hands poses direct threats to personal safety.

For the legal technology sector: Class action investigations are already underway. The outcome of this litigation may establish new precedent for vendor liability standards, reshaping how law firms evaluate and monitor technology partners. The seven-month gap between initial compromise and disclosure will face intense scrutiny.

The Attack Technique

The attacker used stolen credentials to access DocketWise's data migration pipeline, a pattern that places this squarely in the supply chain compromise category. Rather than attacking individual law firms, the actor targeted the shared infrastructure layer where data was aggregated and moved between systems.

Key technical details:

• Initial access: Stolen credentials (acquisition method not yet disclosed)
• Target: Cloned repositories within the data migration pipeline
• Dwell time: Approximately seven months (September 2025 to April 2026)
• Attack pattern: Supply chain compromise via credential theft

The use of cloned repositories as the access point suggests the attacker understood the platform's architecture and targeted a component that would contain aggregated client data rather than attempting to breach production systems directly.

What Organizations Should Do

1. Audit legal technology vendor security posture immediately. Require SOC 2 Type II reports, penetration test results, and incident response plans from every vendor handling privileged or sensitive client data. Do not accept self-attestations.

2. Enforce MFA on all service accounts and migration pipelines. Credential theft remains the dominant initial access vector. Ensure that data migration infrastructure, often treated as internal tooling, receives the same authentication controls as production systems.

3. Monitor for cloned or replicated data stores. Data migration pipelines frequently create copies of sensitive data in staging environments with weaker controls. Inventory all locations where client data is duplicated and apply equivalent protections.

4. Implement anomalous access detection on data pipelines. The seven-month dwell time indicates a monitoring gap. Baseline normal access patterns for migration infrastructure and alert on deviations in volume, timing, or source.

5. Review privilege exposure for active cases. Firms affected by this breach should conduct an immediate 502(b) review of exposed files tied to active proceedings and prepare to demonstrate that reasonable precautions were in place.

6. Notify affected clients and assess safety risks. For immigration cases, particularly asylum and deportation defense matters, conduct a risk assessment that goes beyond standard breach notification to evaluate potential physical safety implications for exposed individuals.

Sources: When Your Legal Tech Vendor Gets Breached: DocketWise Incident Exposes 116,666 Immigration Records and a Profession's Blind Spot