Cybersecurity: Attack on Law Firms

Dilara Devin outlines the threat of cybercrime and the challenges that it poses for law firms using modern technology in the wake of the Covid-19 pandemic and increased use of computer systems and cloud-based services.

Cybersecurity threats

Cybercrime is one of the biggest challenges facing law firms currently and in the future. Especially following the wake of the pandemic there has been a growing trend of organisations relying more on computer systems and cloud-based services. Additionally, due to the lockdown periods, lawyers have had to use personal devices while working from home. Action Fraud estimates that over £2 million has been lost due to COVID-19 scams over a few months with almost half of businesses reporting having experienced cybersecurity breaches.

Why are law firms targeted?

Cybercriminals target law firms because of the wealth of client information they manage, the numerous trade secrets and intellectual property which they possess. One example would be making illegal profits after obtaining sensitive information about an ongoing merger and acquisition deal for the purposes of insider trading.

Moreover, the data law firms normally have are confidential documents that are crucial for a law firm to carry on with its day-to-day business. This means that a cybersecurity attack would not only risk paralysing a law firm but could also lead to reputational damage and loss of client trust.

How are law firms attacked? (including real life examples)

More recently, in May 2020, Advanced Computer Software, a large software provider, was infiltrated by ransomware launched by Maze and REvil, hacker groups. The flaw was first discovered by TurgenSec, a small technology company. This affected a number of major law firms including Clifford Chance, Slaughter & May, Weil Gotshal & Manges and White & Case. The cache of data included Companies House property transaction forms and authentication details. Advanced Computer Software as well as Clifford Chance confirmed that a large amount of the data predated 2017 and was mostly in the public record already. However, more sensitive data such as email addresses, passwords and security verification were also in the database. Yet, it was highlighted that only a very limited amount of information was discernible from this data and that the passwords were in secure hash form.

2020 has proven to be a popular year for ransomware, which is where an organisations’ network is targeted, entered into usually via a phishing email (a fraudulent email with a link that mimics a legitimate communication by a trusted source) which contains a malware. This malware then enters the network, locking down the organisation’s computer system, threatening to shut it down unless a random is paid. An even newer trend has been double-extortion ransomware, where the attackers threaten to leak stolen data onto the internet. The intention behind this is that reputational damage would prove a greater threat for certain organisations even if they do manage to have the appropriate backups in place to mitigate a standard ransomware attack. Of course, this poses a very real and potentially very devastating threat for law firms. In fact, in May 2020, a New York based media and entertainment specialist law firm, Grubman Shire Meiselas & Sacks, was hacked. This law firm has high-net-worth musician clients such as Sir Elton John, Lady Gaga, Lil Nas X and Drake. Using the method of double-extortion ransomware described above, the attackers released an alleged screenshot of a contract of Madonna and demanded ransom.

How can law firms protect themselves?

Law firms cannot afford to be cheap when it comes to cybersecurity when its survival is so dependent on having access to data/documents and keeping this information safe. One guidance emphasised by Six Degrees’ whitepaper, a leading cybersecurity service provider, is for law firms to keep active and engaged. It is not enough to simply install systems and leave them running. Law firms must continually assess their security levels, train their employees and manage data securely. For instance, employees can be trained via cyber simulation exercises to identify phishing emails. Consequently, the firm will be in a better position to spot and block the source of suspicious emails.

Some other guidance provided by the law firm Taylor Wessing and Travelers, a business insurer, is to review access rules. This is where data is categorised between sensitive and non-sensitive data, then depending on its category, different levels of security are implemented. For example, for the most sensitive data, which could cause the most damage in the event of it being compromised, access should be allowed on a need-to-know basis.

~ Dilara Devin, The Student Lawyer