The New York Times covers the story here.
This is not the first time I've read that lawyers (even lawyers at the largest and most sophisticated law firms) are sometimes the weakest link in a company's data security chain. Another way of thinking about this is that lawyers may be able to satisfy their ethical obligations fairly easily under newly adopted Rule 1.6(c), but cybersecurity is an increasingly important client relations issue, particularly for law firms with clients who have high value confidential information.