Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 06, 2026 · 6 min read

DocketWise Breach Exposed 116,000 Immigration Clients' Most Sensitive Data

Passport numbers, Social Security numbers, and medical records from immigration cases sat in cloned repositories for months before anyone was told.

Scattered immigration documents and passports on a desk with a laptop showing a breach notification

What Happened

DocketWise, a cloud based immigration case management platform used by law firms across the United States, disclosed that unauthorized actors used valid credentials to clone certain third party partner repositories. Some of those repositories were part of a data migration pipeline for the DocketWise application and contained unstructured data belonging to law firm clients and their customers.

The breach was discovered in October 2025, but notifications to the 116,666 affected individuals did not begin until April 3, 2026, more than five months later.

What Was Exposed

The data compromised in this breach is among the most sensitive information a person can have, particularly for individuals navigating the immigration system:

  • Full names, addresses, and dates of birth
  • Social Security numbers and government issued ID numbers
  • Driver's license and passport numbers
  • Financial account numbers and payment card information
  • Tax identification numbers
  • Health insurance policy numbers and medical treatment information
  • Usernames and access credentials

For immigration clients, this data is not just personally identifiable information. It is the documentation of their legal status, their medical history, and their financial standing. In the wrong hands, it creates opportunities for identity theft, immigration fraud, and targeted scams against an already vulnerable population.

How the Breach Occurred

According to DocketWise's disclosure, the attackers gained access using valid credentials, not by exploiting a software vulnerability, but by obtaining legitimate login information for third party partner repositories. Once inside, they cloned repositories that were part of DocketWise's data migration pipeline.

Data migration pipelines often contain raw, unstructured data that has been exported from one system for import into another. This data frequently lacks the access controls and encryption applied to production databases, making it a high value target for attackers who know where to look. The pattern is similar to what happened when the European Commission lost 350GB through a compromised AWS account, where peripheral systems proved to be the weakest link.

Five Months of Silence

DocketWise discovered the breach in October 2025 but did not begin notifying affected individuals until April 3, 2026. That is over five months during which 116,666 people had no idea their most sensitive data, including passport numbers, Social Security numbers, and medical records, was potentially in criminal hands.

Delayed notification is a recurring problem in data breaches. During the gap, affected individuals cannot freeze their credit, monitor for fraudulent use of their documents, or take steps to protect themselves. For immigration clients specifically, a stolen passport number or compromised legal documentation could have implications for pending applications or legal proceedings. This mirrors patterns seen in other breaches where companies waited months to notify those affected.

Why Immigration Data Is Uniquely Dangerous

Immigration case files contain a concentrated profile of a person's entire identity. Unlike a typical data breach that might expose an email address and password, this breach exposed the documents people use to prove who they are to governments.

An attacker with access to a victim's passport number, Social Security number, tax ID, and medical history could file fraudulent tax returns, open financial accounts, apply for government benefits, or create forged identity documents. For people in the immigration system, the consequences can be even more severe: fraudulent filings made in their name could jeopardize legitimate applications or trigger enforcement actions.

The legal community is taking notice. Shamis and Gentile, a class action law firm specializing in data breach cases, has announced an investigation into the incident.

What Affected Individuals Should Do

If you are a client of an immigration law firm that uses DocketWise, or if you have received a breach notification:

  • Freeze your credit at all three bureaus (Equifax, Experian, TransUnion) immediately. This prevents anyone from opening new accounts in your name.
  • Monitor your financial accounts for unfamiliar transactions, especially any new account openings or credit applications.
  • Watch for immigration related fraud by checking with your attorney whether any unexpected filings have been made using your information.
  • File an IRS Identity Protection PIN to prevent fraudulent tax returns using your stolen SSN and tax ID.
  • Be alert for targeted phishing. Attackers who know your immigration status, attorney's name, and case details can craft extremely convincing scam emails and calls.

The Bigger Problem

DocketWise is not the only legal technology platform handling sensitive client data. The legal industry has increasingly moved to cloud based case management systems, and immigration law firms deal with some of the most sensitive personal information of any legal practice. When these platforms are compromised, the consequences fall hardest on the people who entrusted their most important documents to the legal system.

The breach also highlights a systemic weakness: data migration pipelines. Organizations that carefully secure their production databases sometimes leave migration data, which can contain the same sensitive information, in repositories with weaker access controls. Attackers know this, and they are increasingly targeting the infrastructure around applications rather than the applications themselves.